Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
A Short Review of the NTRU Cryptosystem
1. A short review of the NTRU cryptosystem
Zhenfei Zhang
zzhang@onboardsecurity.com
July 12, 2017
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 1 / 42
5. Why lattice
Lattice leads to the knowledge of everything!
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
6. Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 3 / 42
7. Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prepare for the quantum apocalypse;
2017, NIST call for competition/standardization;
2030(?), predicted general purpose quantum computers;
bonus points
Good understanding of underlying hard problem;
Fast, parallelable, hardware friendly;
Numerous applications: FHE, ABE, MMap, obfuscation, . . .
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 4 / 42
8. Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-then-decrypt attack
Data need to be secret for, say, 30 years;
Quantum computer arrives in, say, 15 years;
Perhaps the most practical attack in cryptography!
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 5 / 42
10. State-of-art lattice-based crypto in practice
Key exchange/establishment schemes
Newhope (R-LWE), Frodo (LWE), NTRU-KEM (NTRU)
Encryption schemes
NTRUEncrypt (NTRU) - standardized by IEEE and ASC X9.
Signature schemes
BLISS (NTRU), pqNTRUSign (NTRU), TESLA (R-LWE)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 7 / 42
11. Figure source: Christine van Vredendaal
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 8 / 42
12. How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
13. How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
14. How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-safing” handshake for TLS
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 9 / 42
15. Figure source: Wendy Cordero’s High School Math Site
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 10 / 42
16. Lattice
Definition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z}
d dimension.
B = (b1, . . . , bd ) is a basis.
An example
B =
5 1
2
√
3
3
5
√
2 1
d = 2 ≤ n = 3
In this talk, full rank integer Basis: B ∈ Zn,n.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 11 / 42
17. Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
18. Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
19. Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
20. Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26
An infinity of basis
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
21. Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
22. Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 12 / 42
26. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
27. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Ring multiplications: h(x) = f (x) · g(x)
Compute h (x) = f (x) × g(x) over Z[x]
Reduce h (x) mod (xN − 1) mod q
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
28. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Ring multiplications: h(x) = f (x) · g(x), alternatively
h0, . . . , hN−1 = f0, . . . , fN−1 ×
g0 g1 g2 . . . gN−1
gN−1 g0 g1 . . . gN−2
gN−2 gN−1 g0 . . . gN−3
...
...
...
...
...
g1 g2 g3 . . . g0
mod q
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 15 / 42
29. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
30. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
NTRU lattice
qIN 0
H IN
..=
q 0 . . . 0 0 0 . . . 0
0 q . . . 0 0 0 . . . 0
...
...
...
...
...
...
...
...
0 0 . . . q 0 0 . . . 0
h0 h1 . . . hN−1 1 0 . . . 0
hN−1 h0 . . . hN−2 0 1 . . . 0
...
...
...
...
...
...
...
...
h1 h2 . . . h0 0 0 . . . 1
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
31. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: find those vectors.
Both are hard for random lattices.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
32. NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: find those vectors.
Both are hard for random lattices.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 16 / 42
33. NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
34. NTRU lattice vs random lattice
Random lattice, SV ≈ Gaussian Heuristic length = dim
2πe det
1
dim
NTRU lattice, unique shortest vectors = g, f 2
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 17 / 42
36. Interlude: How to estimate lattice strength?
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 19 / 42
37. Interlude: How to estimate lattice strength ( )?
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 20 / 42
38. Interlude: How to estimate the lattice strength
“Understanding lattice strength = mastering key technology. :D”
–Jackie Chan
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 21 / 42
39. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
40. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
“Ideal world” “Real world”
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
41. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
α-uSVP ≈ γ-SVP −→ we can use BKZ/LLL results on uSVP
λ1 = λ2 = · · · = λN = g, f 2 =
√
2d
λN+1 ≈ Gaussian Heuristic length dim
2πe det
1
dim = Nq
πe
α = Nq
2dπe
1
4N
Not limited to NTRU, almost all efficient lattice crypto base on uSVP
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
42. Interlude: How to estimate the lattice strength
Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N
α = Nq
2dπe
1
4N
Example: N = 743, q = 2048, d = 495: α ≈ 1.0038
α-uSVP ≈ γ-SVP
If BKZ 2.0 can solve Approx-SVP with γ = 1.0038, it can solve uSVP
Lattice strength = cost of BKZ 2.0 with γ = 1.0038
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 22 / 42
43. Interlude: Lattice reductions
Overview
time space approx. factor
LLL poly poly exp
BKZ sub-exp sub-exp sub-exp
Enumeration sup-exp poly 1
Sieving exp exp 1
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 23 / 42
44. Interlude: Lattice reductions
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Original BKZ 2.0: enumeration with extreme pruning
“New Hope”: (quantum) sieving
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 24 / 42
45. Interlude: Estimate BKZ 2.0 cost
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Example: n = 1024, γ = 1.006(?) (Extreme pruning)
To arrive γ = 1.006 one need to use block size 216;
Cost to find SV in dim-216 lattice requires > 2105 node;
Per-node cost 27;
Call this SV solver for (n − k + 1) ∗ round > 29 times;
Total cost > 2121
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 25 / 42
46. Interlude: Estimate BKZ 2.0 cost
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction
Example: n = 1024, γ = 1.006 (Sieving)
To arrive γ = 1.006 one need to use block size 216;
Cost to find SV in dim-216 lattice requires > 2216∗0.3 ≈ 265 operation;
Also requires ≈ 265 space
Call this SV solver for (n − k + 1) ∗ round > 29 times;
Total cost > 274
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 26 / 42
48. NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N
)
Find a random ring element r;
Compute e = p × r · h + m;
Dec (f , p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p
Recover m = c · f −1 mod p
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
49. NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}N
)
Find a random ring element r;
Compute e = p × r · h + m;
Dec (f ≡ 1 mod p, p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p = m
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
50. NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}k
)
Find a random string b; r = hash(h|b)
m = r ⊗ m|b
Compute e = p × r · h + m ;
Dec (f ≡ 1 mod p, g, p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p = m
Compute r = p−1 × (c − m · f ) · g−1
Extract m, b from m ⊗ r , compute r = hash(h|b);
Output m if r = r .
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 28 / 42
52. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Less effective attacks
Subfield attacks;
Subring attacks:
Mod 2 attack.
Hash attacks.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
53. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Suppose f , g are binary polynomials with hamming weight d
list = ∅
Guess a fi with hamming weight d/2; compute gi = fi · h;
Check gi against every gj ∈ list:
if gi + gj is binary with hamming weight d; output gi , gj ;
else, add gi to list:
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
54. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Find short vectors in NTRU lattice
qIN 0
H IN
Lattice reduction algorithms: BKZ 2.0
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
55. Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Re-write
qIN 0
H IN
..=
qIr1 0 0
∗ L1 0
∗ ∗ Ir2
Reduce L1
..=
qIr1 0 0
∗ L1 0
(MITM) guess a vector v in L2
..= ∗ ∗ Ir2
If guess correctly, v will be very close to L1;
Find the closest vector of v in L1;
Easy if L1 is well-reduced.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 30 / 42
58. Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m) mod p
Can be instantiated via any lattice
SIS, R-SIS, R-LWE, etc
pqNTRUSign is an efficient instantiation using NTRU lattice
Efficient trapdoor f , g;
Well-understood hardness.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 33 / 42
59. pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection sampling:
Sample v0 from certain distribution; compute v1 = p × v0 + vp
Find a random lattice vector v1, u1 = v1 · I, h
“v-side” meets the congruent condition.
Micro-adjust “u-side” using trapdoor f and g
Compute a = (u1 − up) · g−1
mod p
Compute v2, u2 = a · p × f , g
Compute v, u = v1, u1 + v2, u2
Output v as signature
Remark
v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 34 / 42
60. pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector v, u = v · I, h
Check vp, up = hash(m|h)
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 35 / 42
61. pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected lattice;
Transcript security - achieved via rejection sampling.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 36 / 42
62. Forgery
Forgery: as hard as solving an approx.-SVP in an intersected lattice:
L ..= Lh ∩ (Z2N + vp, up )
det(L ) = p2NqN −→ Gaussian heuristic length = p2qN
πe
Target vector length v, u ≤
√
2N q
2
Approx.-SVP with root Hermite factor γ = qπe
2p2
1
dim
= qπe
2p2
1
4N
Example: N = 512, q = 12289, p = 3 −→ γ = 1.0042
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 37 / 42
63. Transcript security
Works on GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover enough of distance
vectors (blue dots) gives away a
good basis of the lattice;
Seal the leakage with rejection
sampling.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 38 / 42
64. Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinary/binary;
sparse trinary/binary f is the secret.
RS on b
b follows certain publicly known distribution independent from f ;
for two secret keys f1, f2 and a signature b, one is not able to tell
which key signs b - witness indistinguishability.
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 39 / 42
65. Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B, −q
2 − B]N
Before rejection
0.0005
0.0006
0.0007
0.0008
0.0009
0.001
0.0011
-600 -400 -200 0 200 400 600
"notuniforminq"
1/1031.0
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
66. Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B, −q
2 − B]N
After rejection
0
0.0002
0.0004
0.0006
0.0008
0.001
0.0012
-600 -400 -200 0 200 400 600
"uniforminq"
1/1021.0
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
67. Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before/after rejection
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 40 / 42
69. Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Google Image & www.hsjushi.com
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 42 / 42