A Short Review of the NTRU Cryptosystem

A short review of the NTRU cryptosystem
Zhenfei Zhang
zzhang@onboardsecurity.com
July 12, 2017
Z.Zhang (Onboard Security Inc.) NTRU crypto July 12, 2017 1 / 42

Outline
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion

Why lattice

Why lattice
Lattice leads to the knowledge of everything!

Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)

Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prepare for the quantum apocalypse;
2017, NIST call for competition/standardization;
2030(?), predicted general purpose quantum computers;
bonus points
Good understanding of underlying hard problem;
Fast, parallelable, hardware friendly;
Numerous applications: FHE, ABE, MMap, obfuscation, . . .

Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-then-decrypt attack
Data need to be secret for, say, 30 years;
Quantum computer arrives in, say, 15 years;
Perhaps the most practical attack in cryptography!

Figure source: https://nsa.gov1.info/utah-data-center/

State-of-art lattice-based crypto in practice
Key exchange/establishment schemes
Newhope (R-LWE), Frodo (LWE), NTRU-KEM (NTRU)
Encryption schemes
NTRUEncrypt (NTRU) - standardized by IEEE and ASC X9.
Signature schemes
BLISS (NTRU), pqNTRUSign (NTRU), TESLA (R-LWE)

Figure source: Christine van Vredendaal

How they are used in practice
Hybrid mode: QSC + ECC/RSA
Example: “quantum-saﬁng” handshake for TLS

Figure source: Wendy Cordero’s High School Math Site

Lattice
Deﬁnition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z}
d dimension.
B = (b1, . . . , bd ) is a basis.
An example
B =
5 1
2
√
3
3
5
√
2 1
d = 2 ≤ n = 3
In this talk, full rank integer Basis: B ∈ Zn,n.

Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice

Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An inﬁnity of basis

Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21

Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26

Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector

Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped

SVP vs factorization
Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18
607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427
8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410
1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664
1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758
23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645
630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596
Factorize d1|d2| . . . |d18 ≈ 1800 bits
6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278
5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110
3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117
6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582
3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630
5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596
Find the shortest vector from









607934075107679728535017910491 0 0 . . . 0 0
110892038590491011470413624162 1 0 . . . 0 0
102527531745069397657213612427 0 1 . . . 0 0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1051996449282023535890300047164 0 0 . . . 1 0
142993816453901841682500448596 0 0 . . . 0 1










SVP vs factorization
Given 18 random chosen integers of ≈ 100 bits: d1, . . . , d18
607934075107679728535017910491 110892038590491011470413624162 102527531745069397657213612427
8592010462121158793989191725 1046281300378014562233368120438 686996122377288254791817885410
1103832612625211064506848179346 220852682915784634287852309921 944649534225139220175474902664
1176690699541611773408761953223 1136130825665947553678910749119 1108943208362935558648540132758
23737901275111053772686813555 465809649893186621224122861041 715902840717351780807871627645
630574310792857742024648084025 1051996449282023535890300047164 142993816453901841682500448596
Factorize d1|d2| . . . |d18 ≈ 1800 bits
Easy
6079340751076797285350179104911108920385904910114704136241621025275317450693976572136124278
5920104621211587939891917251046281300378014562233368120438686996122377288254791817885410110
3832612625211064506848179346220852682915784634287852309921944649534225139220175474902664117
6690699541611773408761953223113613082566594755367891074911911089432083629355586485401327582
3737901275111053772686813555465809649893186621224122861041715902840717351780807871627645630
5743107928577420246480840251051996449282023535890300047164142993816453901841682500448596
Find the shortest vector from









607934075107679728535017910491 0 0 . . . 0 0
110892038590491011470413624162 1 0 . . . 0 0
102527531745069397657213612427 0 1 . . . 0 0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
1051996449282023535890300047164 0 0 . . . 1 0
142993816453901841682500448596 0 0 . . . 0 1









As hard as solving SVP for any lattice of same dim

NTRU lattice
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion

NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2

NTRU lattice
NTRU ring
Ring multiplications: h(x) = f (x) · g(x)
Compute h (x) = f (x) × g(x) over Z[x]
Reduce h (x) mod (xN − 1) mod q

NTRU lattice
NTRU ring
Ring multiplications: h(x) = f (x) · g(x), alternatively
h0, . . . , hN−1 = f0, . . . , fN−1 ×







g0 g1 g2 . . . gN−1
gN−1 g0 g1 . . . gN−2
gN−2 gN−1 g0 . . . gN−3
...
...
...
...
...
g1 g2 g3 . . . g0







mod q

NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, ﬁnd f and g.

NTRU lattice
NTRU assumption
NTRU lattice
qIN 0
H IN
..=














q 0 . . . 0 0 0 . . . 0
0 q . . . 0 0 0 . . . 0
...
...
...
...
...
...
...
...
0 0 . . . q 0 0 . . . 0
h0 h1 . . . hN−1 1 0 . . . 0
hN−1 h0 . . . hN−2 0 1 . . . 0
...
...
...
...
...
...
...
...
h1 h2 . . . h0 0 0 . . . 1















NTRU lattice
NTRU assumption
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: ﬁnd those vectors.
Both are hard for random lattices.

NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: ﬁnd those vectors.
Both are hard for random lattices.

NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)

NTRU lattice vs random lattice
Random lattice, SV ≈ Gaussian Heuristic length = dim
2πe det
1
dim
NTRU lattice, unique shortest vectors = g, f 2

NTRU lattice vs LWE lattice
NTRU R-LWE
Secrets Trinary: {−1, 0, 1}dim Gaussian: χdim√
q
Ring Zq[x]/(xN − 1) Zq[x]/(xN + 1)

Interlude: How to estimate lattice strength?

Interlude: How to estimate lattice strength ( )?

Interlude: How to estimate the lattice strength
“Understanding lattice strength = mastering key technology. :D”
–Jackie Chan

Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Lattice reduction algms.
Approx.-SVP
γ: root Hermite factor
Cryptosystems1
Unique shortest vectors
α: Gap = (λN+1/λ1)1/2N

Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Approx.-SVP
Cryptosystems1
α: Gap = (λN+1/λ1)1/2N
“Ideal world” “Real world”

Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Approx.-SVP
Cryptosystems1
α: Gap = (λN+1/λ1)1/2N
α-uSVP ≈ γ-SVP −→ we can use BKZ/LLL results on uSVP
λ1 = λ2 = · · · = λN = g, f 2 =
√
2d
λN+1 ≈ Gaussian Heuristic length dim
2πe det
1
dim = Nq
πe
α = Nq
2dπe
1
4N
Not limited to NTRU, almost all eﬃcient lattice crypto base on uSVP

Random lattice:
qIN 0
A IN
NTRU lattice:
qIN 0
H IN
Approx.-SVP
Cryptosystems1
α: Gap = (λN+1/λ1)1/2N
α = Nq
2dπe
1
4N
Example: N = 743, q = 2048, d = 495: α ≈ 1.0038
α-uSVP ≈ γ-SVP
If BKZ 2.0 can solve Approx-SVP with γ = 1.0038, it can solve uSVP
Lattice strength = cost of BKZ 2.0 with γ = 1.0038

Interlude: Lattice reductions
Overview
time space approx. factor
LLL poly poly exp
BKZ sub-exp sub-exp sub-exp
Enumeration sup-exp poly 1
Sieving exp exp 1
Best in practice: BKZ 2.0
Input B = (b1, . . . , bn) and block size k
Repeat:
For i from 1 to n-k+1 do
Solve SVP for sub-lattice (bi , . . . , bi+k−1)
Size-reduction

Interlude: Lattice reductions
Repeat:
Size-reduction
Original BKZ 2.0: enumeration with extreme pruning
“New Hope”: (quantum) sieving

Interlude: Estimate BKZ 2.0 cost
Repeat:
Size-reduction
Example: n = 1024, γ = 1.006(?) (Extreme pruning)
To arrive γ = 1.006 one need to use block size 216;
Cost to ﬁnd SV in dim-216 lattice requires > 2105 node;
Per-node cost 27;
Call this SV solver for (n − k + 1) ∗ round > 29 times;
Total cost > 2121

Interlude: Estimate BKZ 2.0 cost
Repeat:
Size-reduction
Example: n = 1024, γ = 1.006 (Sieving)
To arrive γ = 1.006 one need to use block size 216;
Cost to ﬁnd SV in dim-216 lattice requires > 2216∗0.3 ≈ 265 operation;
Also requires ≈ 265 space
Call this SV solver for (n − k + 1) ∗ round > 29 times;
Total cost > 274

NTRUEncrypt
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion

NTRUEncrypt
A CCA-2 secure encryption scheme based on NTRU assumption
Enc (h = g/f , p = 3, R, m ∈ {−1, 0, 1}N
)
Find a random ring element r;
Compute e = p × r · h + m;
Dec (f , p = 3, R, e)
Compute c = e · f = p × r · g + m · f ;
Reduce c mod p = m · f mod p
Recover m = c · f −1 mod p

NTRUEncrypt
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}N
)
Find a random ring element r;
Compute e = p × r · h + m;
Dec (f ≡ 1 mod p, p = 3, R, e)
Reduce c mod p = m · f mod p = m

NTRUEncrypt
Enc (h = g/f , p = 3, f ≡ 1 mod p, R, m ∈ {−1, 0, 1}k
)
Find a random string b; r = hash(h|b)
m = r ⊗ m|b
Compute e = p × r · h + m ;
Dec (f ≡ 1 mod p, g, p = 3, R, e)
Reduce c mod p = m · f mod p = m
Compute r = p−1 × (c − m · f ) · g−1
Extract m, b from m ⊗ r , compute r = hash(h|b);
Output m if r = r .

Attacks

Attacks
Known attacks
Combinatorial attacks (meet-in-the-middle);
Lattice reductions;
Hybrid attacks;
Less eﬀective attacks
Subﬁeld attacks;
Subring attacks:
Mod 2 attack.
Hash attacks.

Attacks
Known attacks
Lattice reductions;
Hybrid attacks;
Suppose f , g are binary polynomials with hamming weight d
list = ∅
Guess a fi with hamming weight d/2; compute gi = fi · h;
Check gi against every gj ∈ list:
if gi + gj is binary with hamming weight d; output gi , gj ;
else, add gi to list:

Attacks
Known attacks
Lattice reductions;
Hybrid attacks;
Find short vectors in NTRU lattice
qIN 0
H IN
Lattice reduction algorithms: BKZ 2.0

Attacks
Known attacks
Lattice reductions;
Hybrid attacks;
Re-write
qIN 0
H IN
..=


qIr1 0 0
∗ L1 0
∗ ∗ Ir2


Reduce L1
..=
qIr1 0 0
∗ L1 0
(MITM) guess a vector v in L2
..= ∗ ∗ Ir2
If guess correctly, v will be very close to L1;
Find the closest vector of v in L1;
Easy if L1 is well-reduced.

Parameters
Post-Quantum Parameter Sets and Security Estimates
Classical Quantum Hybrid Attack Parameters Product form log2 dec. root
security est. security est. N q (df , dg , dm) dim β rounds K Cost search cost fail prob. Hermite factor
128 128 443 2048 (148, 148, 115) 575 222 11 177 133 147 -196 1.0041
192 128 587 2048 (196, 196, 157) 723 311 9 258 197 193 -139 1.0031
256 128 743 2048 (247, 247, 204) 880 407 8 350 272 256 -112 1.0025

pqNTRUSign
1 Introduction
2 NTRU lattice
3 NTRUEncrypt
4 pqNTRUSign
5 Conclusion

Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m) mod p
Can be instantiated via any lattice
SIS, R-SIS, R-LWE, etc
pqNTRUSign is an efficient instantiation using NTRU lattice
Efficient trapdoor f , g;
Well-understood hardness.

pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection sampling:
Sample v0 from certain distribution; compute v1 = p × v0 + vp
Find a random lattice vector v1, u1 = v1 · I, h
“v-side” meets the congruent condition.
Micro-adjust “u-side” using trapdoor f and g
Compute a = (u1 − up) · g−1
mod p
Compute v2, u2 = a · p × f , g
Compute v, u = v1, u1 + v2, u2
Output v as signature
Remark
v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp

pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector v, u = v · I, h
Check vp, up = hash(m|h)

pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected lattice;
Transcript security - achieved via rejection sampling.

Forgery
Forgery: as hard as solving an approx.-SVP in an intersected lattice:
L ..= Lh ∩ (Z2N + vp, up )
det(L ) = p2NqN −→ Gaussian heuristic length = p2qN
πe
Target vector length v, u ≤
√
2N q
2
Approx.-SVP with root Hermite factor γ = qπe
2p2
1
dim
= qπe
2p2
1
4N
Example: N = 512, q = 12289, p = 3 −→ γ = 1.0042

Transcript security
Works on GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover enough of distance
vectors (blue dots) gives away a
good basis of the lattice;
Seal the leakage with rejection
sampling.

Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinary/binary;
sparse trinary/binary f is the secret.
RS on b
b follows certain publicly known distribution independent from f ;
for two secret keys f1, f2 and a signature b, one is not able to tell
which key signs b - witness indistinguishability.

Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B, −q
2 − B]N
Before rejection
0.0005
0.0006
0.0007
0.0008
0.0009
0.001
0.0011
-600 -400 -200 0 200 400 600
"notuniforminq"
1/1031.0

Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , −q
2 ]N
Accept b when b is in [−q
2 + B, −q
2 − B]N
After rejection
0
0.0002
0.0004
0.0006
0.0008
0.001
0.0012
-600 -400 -200 0 200 400 600
"uniforminq"
1/1021.0

Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before/after rejection

Future work
Better scalability:
Module-LWE based schemes;
Better eﬃciency:
Improved rejection sampling methods;
Better implementations
Constant time.
SIMD.

Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Google Image & www.hsjushi.com

A Short Review of the NTRU Cryptosystem

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Ähnlich wie A Short Review of the NTRU Cryptosystem

Ähnlich wie A Short Review of the NTRU Cryptosystem (20)

Mehr von OnBoard Security, Inc. - a Qualcomm Company

Mehr von OnBoard Security, Inc. - a Qualcomm Company (13)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

A Short Review of the NTRU Cryptosystem