DOCSLIB.ORG

Round5: a KEX Based on Learning with Rounding Over the Rings

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Round5: a KEX Based on Learning with Rounding Over the Rings Round5: a KEX based on learning with rounding over the rings Zhenfei Zhang [email protected] September 19, 2018 Round5 September 19, 2018 1 / 49 Areas I have been working on Theoretical results Signature schemes: Falcon (NTRUSign+GPV), pqNTRUSign Security proofs: Computational R-LWR problem Fully homomorphic encryptions Raptor: lattice based linkable ring signature (Blockchains!) Practical instantiations NTRU, Round5 Cryptanalysis and parameter derivation for lattices Efficient implementations: AVX-2 Constant time implementations Standardization: NIST, IETF, ETSI, ISO, CACR PQC process Deployment: enabling PQC for TLS, Tor, libgcrypt Under the radar: lattice based DAA, NIZK Round5 September 19, 2018 2 / 49 This talk Theoretical results Signature schemes: Falcon (NTRUSign+GPV), pqNTRUSign Security proofs: Computational R-LWR problem Fully homomorphic encryptions Raptor: lattice based linkable ring signature (Blockchains!) Practical instantiations NTRU, Round5 Cryptanalysis and parameter derivation for lattices Efficient implementations: AVX-2 Constant time implementations Standardization: NIST, IETF, ETSI, ISO, CACR PQC process Deployment: enabling PQC for TLS, Tor, libgcrypt Under the radar: lattice based DAA, NIZK Round5 September 19, 2018 3 / 49 Diffie-Hellman Alice:(a; A = g a) BoB(b; B = g b) A B g ab ab ∗ A; B and g are group elements over Zq. Round5 September 19, 2018 4 / 49 RLWE-KEX Alice:(a; A = Ga + ea) BoB(b; B = Gb + eb) A B aGb + aeb ≈ bGa + bea . Every element is a ring element over R .= Zq[x]=f (x). Round5 September 19, 2018 5 / 49 RLWE-KEX Alice:(a; X = Ga + ea) BoB(b; B = Gb + eb) A B Reconciliation r Extract(aGb + aeb; r) = Extract(bGa + bea; r) . Every element is a ring element over R .= Zq[x]=f (x). Round5 September 19, 2018 6 / 49 NTRU-KEM Alice:(a = 2t + 1; A = 2g=a) BoB:(b; m) A B = 2bA + m B m = Ba = 2bg + ma = m mod 2 m . N Every element is a ring element over R .= Zq[x]=(x − 1). Round5 September 19, 2018 7 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N N Ring Zq[x]=(x − 1) Zq[x]=(x + 1) Provable security No Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large Major concerns on NTRU No provable security Slow key generation c.f. New Hope Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX Major concerns on NTRU No provable security Slow key generation c.f. New Hope Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N N Ring Zq[x]=(x − 1) Zq[x]=(x + 1) Provable security No Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes(?) Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes(?) Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor No No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Hardness of dec R-LWR is an open problem Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor No No KeyGen Fast Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Hardness of dec R-LWR is an open problem (more on this later) Round5 September 19, 2018 8 / 49 The new NTRU, a.k.a. R-LWR-KEX Alice:(a; A = Round(Ga)) BoB(b; B = Round(Gb)) A B Reconciliation r Extract(Round(aB); r) = Extract(Round(bA); r) . a; b are ring elements over R .= Zq[x]=f (x); A; B are rounded over Zp[x]. Round5 September 19, 2018 9 / 49 R-LWR-KEX Improvements 743 Prime cyclotomic ring, i.e., φ743(x) = (x − 1)=(x − 1) Rounding instead of errors \Disadvantages" Parameters not compatible with number theoretic transform (NTT) Noise dependency Round5 September 19, 2018 10 / 49 Improvements I - PC ring Prime Cyclotomic ring PC ring as secure as power-of-2 cyclotomics; 1024 i.e., φ2048(x) = x + 1; Degree ≈ 700 offers enough security against BKZ attacks with quantum sieving; NewHope - has to be 512, 1024, etc.; Kyber - a multiple of 256; PC - any prime > 700; Also used in LIMA, NTRU-KEM, etc. Round5 September 19, 2018 11 / 49 Round5 September 19, 2018 12 / 49 Improvements II - Rounding Rounding Less randomness sampling - ea and eb; Ciphertext reduced to n log p, c.f. n log q; Small enough to be in an MTU for TLS; Introduces new assumptions. Round5 September 19, 2018 13 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Round5 September 19, 2018 14 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Karatsuba and Toom-Cook Divide and Conquer; Parameter dependent optimizations; Improving NTRU-743 reference implementation by 2.3x; Constant time; strong side channel resistance; Slightly slower than NTT for similar N. Round5 September 19, 2018 14 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Index based Super friendly with a trinary polynomial; Even faster than NTT; Constant time iff Ham(a) and Ham(b) are constant; Memory leakage. Round5 September 19, 2018 14 / 49 \Disadvantages" II - Noise management Rational: Use ECC to control errors Consider c(x) = a(x)b(x) mod xN−1 + xN−2 + ··· + 1 0 N 0 Let c (x) = a(x)b(x) mod (x − 1), then c (x) = c(x) mod φN (x) 0 0 ) ci = ci − cN Noise, i.e., kxey k1 is \doubled"; 0 Every coefficient is \lifted" by cN - creates dependency; ECC doesn't work on dependent errors. Round5 September 19, 2018 15 / 49 \Disadvantages" II - Noise management Rational: Use ECC to control errors Consider c(x) = a(x)b(x) mod xN−1 + xN−2 + ··· + 1 0 N 0 Let c (x) = a(x)b(x) mod (x − 1), then c (x) = c(x) mod φN (x) 0 0 ) ci = ci − cN Noise, i.e., kxey k1 is \doubled"; 0 Every coefficient is \lifted" by cN - creates dependency; ECC doesn't work on dependent errors. Solution - ring switching N multiply over φN (x), lift the final results to x − 1 ring; c0(x) = c(x)(x − 1) Only use the coefficients of 1; x2; x4; x6;::: ∼ N Security? Z[x]/φN (x) = Z[x]=(x − 1) \ fPoly with root 1g Round5 September 19, 2018 15 / 49 Round2 The team Philips: Hayo Baan, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Riemann, Ludo Tolhuizen, Jose Luis Torre Arce OnBoard Security: Zhenfei Zhang Round5 September 19, 2018 16 / 49 Round5 = Round2 + HILA5's ECC The team Philips: Hayo Baan, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Riemann, Ludo Tolhuizen, Jose Luis Torre Arce Cisco: Scott Fluhrer Rambus: Mike Hamburg TU/e: Thijs Laarhoven PQShield: Markku-Juhani Olavi Saarinen OnBoard Security: Zhenfei Zhang Round5 September 19, 2018 17 / 49 Performance Round5 September 19, 2018 18 / 49 Performance Round5 September 19, 2018 19 / 49 Performance Round5 September 19, 2018 20 / 49 Deployment: TLS Round5 September 19, 2018 21 / 49 Deployment: Hybrid solutions Round5 September 19, 2018 22 / 49 Round5 September 19, 2018 23 / 49 Another look at the security Round5 ) Dec R-LWR over PC ) Search R-LWE over PC ) Search R-LWE over any ring ) BDD over Ideal Lattices Round5 September 19, 2018 24 / 49 Another look at the security Round5)Dec R-LWR over PC )Search R-LWE over PC )Search R-LWE over any ring )BDD over Ideal Lattices Round5 September 19, 2018 25 / 49 What about the hardness of Dec R-LWR? Dec R-LWE as hard as search R-LWE Given (a; b = as + e) 2 R2; Increase the first coefficient of b gradually and call Dec R-LWE oracle; Oracle will keep returning true till overflow - this tells us e0; Repeat for all coefficients to learn e; Extract s from a noisy free sample b0 = as. Round5 September 19, 2018 26 / 49 What about the hardness of Dec R-LWR? Dec R-LWE as hard as search R-LWE Given (a; b = as + e) 2 R2; Increase the first coefficient of b gradually and call Dec R-LWE oracle; Oracle will keep returning true till overflow - this tells us e0; Repeat for all coefficients to learn e; Extract s from a noisy free sample b0 = as. Dec R-LWR? We can't modify e - it is deterministic. Round5 September 19, 2018 26 / 49 Our approach Intuition Search Problem ≥ Computational Problem ≥ Decisional Problem Computational Diffie-Hellman: given fg; g x ; g y g, find g xy ; Similarly, given fa; Round(as1); Round(as2)g, find Round(as1s2); This is the underlying problem for R-LWR-KEX Dec R-LWR problem isn't essential.
Load more

Recommended publications
  • Etsi Gr Qsc 001 V1.1.1 (2016-07)
    ETSI GR QSC 001 V1.1.1 (2016-07) GROUP REPORT Quantum-Safe Cryptography (QSC); Quantum-safe algorithmic framework 2 ETSI GR QSC 001 V1.1.1 (2016-07) Reference DGR/QSC-001 Keywords algorithm, authentication, confidentiality, security ETSI 650 Route des Lucioles F-06921 Sophia Antipolis Cedex - FRANCE Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16 Siret N° 348 623 562 00017 - NAF 742 C Association à but non lucratif enregistrée à la Sous-Préfecture de Grasse (06) N° 7803/88 Important notice The present document can be downloaded from: http://www.etsi.org/standards-search The present document may be made available in electronic versions and/or in print. The content of any electronic and/or print versions of the present document shall not be modified without the prior written authorization of ETSI. In case of any existing or perceived difference in contents between such versions and/or in print, the only prevailing document is the print of the Portable Document Format (PDF) version kept on a specific network drive within ETSI Secretariat. Users of the present document should be aware that the document may be subject to revision or change of status. Information on the current status of this and other ETSI documents is available at https://portal.etsi.org/TB/ETSIDeliverableStatus.aspx If you find errors in the present document, please send your comment to one of the following services: https://portal.etsi.org/People/CommiteeSupportStaff.aspx Copyright Notification No part may be reproduced or utilized in any form or by any means, electronic or mechanical, including photocopying and microfilm except as authorized by written permission of ETSI.
    [Show full text]
  • NSS: an NTRU Lattice –Based Signature Scheme
    ISSN(Online) : 2319 - 8753 ISSN (Print) : 2347 - 6710 International Journal of Innovative Research in Science, Engineering and Technology (An ISO 3297: 2007 Certified Organization) Vol. 4, Issue 4, April 2015 NSS: An NTRU Lattice –Based Signature Scheme S.Esther Sukila Department of Mathematics, Bharath University, Chennai, Tamil Nadu, India ABSTRACT: Whenever a PKC is designed, it is also analyzed whether it could be used as a signature scheme. In this paper, how the NTRU concept can be used to form a digital signature scheme [1] is described. I. INTRODUCTION Digital Signature Schemes The notion of a digital signature may prove to be one of the most fundamental and useful inventions of modern cryptography. A digital signature or digital signature scheme is a mathematical scheme for demonstrating the authenticity of a digital message or document. The creator of a message can attach a code, the signature, which guarantees the source and integrity of the message. A valid digital signature gives a recipient reason to believe that the message was created by a known sender and that it was not altered in transit. Digital signatures are commonly used for software distribution, financial transactions etc. Digital signatures are equivalent to traditional handwritten signatures. Properly implemented digital signatures are more difficult to forge than the handwritten type. 1.1A digital signature scheme typically consists of three algorithms A key generationalgorithm, that selects a private key uniformly at random from a set of possible private keys. The algorithm outputs the private key and a corresponding public key. A signing algorithm, that given a message and a private key produces a signature.
    [Show full text]
  • Lattice-Based Cryptography - a Comparative Description and Analysis of Proposed Schemes
    Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen Thesis submitted for the degree of Master in Informatics: programming and networks 60 credits Department of Informatics Faculty of mathematics and natural sciences UNIVERSITY OF OSLO Autumn 2017 Lattice-based cryptography - A comparative description and analysis of proposed schemes Einar Løvhøiden Antonsen c 2017 Einar Løvhøiden Antonsen Lattice-based cryptography - A comparative description and analysis of proposed schemes http://www.duo.uio.no/ Printed: Reprosentralen, University of Oslo Acknowledgement I would like to thank my supervisor, Leif Nilsen, for all the help and guidance during my work with this thesis. I would also like to thank all my friends and family for the support. And a shoutout to Bliss and the guys there (you know who you are) for providing a place to relax during stressful times. 1 Abstract The standard public-key cryptosystems used today relies mathematical problems that require a lot of computing force to solve, so much that, with the right parameters, they are computationally unsolvable. But there are quantum algorithms that are able to solve these problems in much shorter time. These quantum algorithms have been known for many years, but have only been a problem in theory because of the lack of quantum computers. But with recent development in the building of quantum computers, the cryptographic world is looking for quantum-resistant replacements for today’s standard public-key cryptosystems. Public-key cryptosystems based on lattices are possible replacements. This thesis presents several possible candidates for new standard public-key cryptosystems, mainly NTRU and ring-LWE-based systems.
    [Show full text]
  • A Study on the Security of Ntrusign Digital Signature Scheme
    A Thesis for the Degree of Master of Science A Study on the Security of NTRUSign digital signature scheme SungJun Min School of Engineering Information and Communications University 2004 A Study on the Security of NTRUSign digital signature scheme A Study on the Security of NTRUSign digital signature scheme Advisor : Professor Kwangjo Kim by SungJun Min School of Engineering Information and Communications University A thesis submitted to the faculty of Information and Commu- nications University in partial fulfillment of the requirements for the degree of Master of Science in the School of Engineering Daejeon, Korea Jan. 03. 2004 Approved by (signed) Professor Kwangjo Kim Major Advisor A Study on the Security of NTRUSign digital signature scheme SungJun Min We certify that this work has passed the scholastic standards required by Information and Communications University as a thesis for the degree of Master of Science Jan. 03. 2004 Approved: Chairman of the Committee Kwangjo Kim, Professor School of Engineering Committee Member Jae Choon Cha, Assistant Professor School of Engineering Committee Member Dae Sung Kwon, Ph.D NSRI M.S. SungJun Min 20022052 A Study on the Security of NTRUSign digital signature scheme School of Engineering, 2004, 43p. Major Advisor : Prof. Kwangjo Kim. Text in English Abstract The lattices have been studied by cryptographers for last decades, both in the field of cryptanalysis and as a source of hard problems on which to build encryption schemes. Interestingly, though, research about building secure and efficient
    [Show full text]
  • (Not) to Design and Implement Post-Quantum Cryptography
    SoK: How (not) to Design and Implement Post-Quantum Cryptography James Howe1 , Thomas Prest1 , and Daniel Apon2 1 PQShield, Oxford, UK. {james.howe,thomas.prest}@pqshield.com 2 National Institute of Standards and Technology, USA. [email protected] Abstract Post-quantum cryptography has known a Cambrian explo- sion in the last decade. What started as a very theoretical and mathe- matical area has now evolved into a sprawling research ˝eld, complete with side-channel resistant embedded implementations, large scale de- ployment tests and standardization e˙orts. This study systematizes the current state of knowledge on post-quantum cryptography. Compared to existing studies, we adopt a transversal point of view and center our study around three areas: (i) paradigms, (ii) implementation, (iii) deployment. Our point of view allows to cast almost all classical and post-quantum schemes into just a few paradigms. We highlight trends, common methodologies, and pitfalls to look for and recurrent challenges. 1 Introduction Since Shor's discovery of polynomial-time quantum algorithms for the factoring and discrete logarithm problems, researchers have looked at ways to manage the potential advent of large-scale quantum computers, a prospect which has become much more tangible of late. The proposed solutions are cryptographic schemes based on problems assumed to be resistant to quantum computers, such as those related to lattices or hash functions. Post-quantum cryptography (PQC) is an umbrella term that encompasses the design, implementation, and integration of these schemes. This document is a Systematization of Knowledge (SoK) on this diverse and progressive topic. We have made two editorial choices.
    [Show full text]
  • Fault Analysis of the Ntrusign Digital Signature Scheme
    Cryptogr. Commun. (2012) 4:131–144 DOI 10.1007/s12095-011-0061-3 Fault analysis of the NTRUSign digital signature scheme Abdel Alim Kamal · Amr M. Youssef Received: 11 December 2010 / Accepted: 14 December 2011 / Published online: 6 January 2012 © Springer Science+Business Media, LLC 2012 Abstract We present a fault analysis of the NTRUSign digital signature scheme. The utilized fault model is the one in which the attacker is assumed to be able to fault a small number of coefficients in a specific polynomial during the signing process but cannot control the exact location of the injected transient faults. For NTRUsign with parameters (N, q = pl, B, standard, N ), when the attacker is able to skip the norm-bound signature checking step, our attack needs one fault, ≈ − 1 (( )t) succeeds with probability 1 p and requires O qN steps when the number of faulted polynomial coefficients is upper bounded by t. The attack is also applicable to NTRUSign utilizing the transpose NTRU lattice but it requires double the number of fault injections. Different countermeasures against the proposed attack are investigated. Keywords Side channel attacks · Lattice-based public key cryptosystems · Fault analysis and countermeasures · Digital signature schemes · NTRU Mathematics Subject Classification (2010) 94A60 1 Introduction NTRUSign [1–4] is a parameterized family of lattice-based public key digital signa- ture schemes that is currently under consideration for standardization by the IEEE P1363 working group. It was proposed after the original NTRU signature scheme (NSS) [5] was broken [6, 7]. Similar to the GGH cryptosystem [8], the security of A. A.
    [Show full text]
  • Public-Key Cryptography
    Public-key Cryptogra; Theory and Practice ABHIJIT DAS Department of Computer Science and Engineering Indian Institute of Technology Kharagpur C. E. VENIMADHAVAN Department of Computer Science and Automation Indian Institute ofScience, Bangalore PEARSON Chennai • Delhi • Chandigarh Upper Saddle River • Boston • London Sydney • Singapore • Hong Kong • Toronto • Tokyo Contents Preface xiii Notations xv 1 Overview 1 1.1 Introduction 2 1.2 Common Cryptographic Primitives 2 1.2.1 The Classical Problem: Secure Transmission of Messages 2 Symmetric-key or secret-key cryptography 4 Asymmetric-key or public-key cryptography 4 1.2.2 Key Exchange 5 1.2.3 Digital Signatures 5 1.2.4 Entity Authentication 6 1.2.5 Secret Sharing 8 1.2.6 Hashing 8 1.2.7 Certification 9 1.3 Public-key Cryptography 9 1.3.1 The Mathematical Problems 9 1.3.2 Realization of Key Pairs 10 1.3.3 Public-key Cryptanalysis 11 1.4 Some Cryptographic Terms 11 1.4.1 Models of Attacks 12 1.4.2 Models of Passive Attacks 12 1.4.3 Public Versus Private Algorithms 13 2 Mathematical Concepts 15 2.1 Introduction 16 2.2 Sets, Relations and Functions 16 2.2.1 Set Operations 17 2.2.2 Relations 17 2.2.3 Functions 18 2.2.4 The Axioms of Mathematics 19 Exercise Set 2.2 20 2.3 Groups 21 2.3.1 Definition and Basic Properties . 21 2.3.2 Subgroups, Cosets and Quotient Groups 23 2.3.3 Homomorphisms 25 2.3.4 Generators and Orders 26 2.3.5 Sylow's Theorem 27 Exercise Set 2.3 29 2.4 Rings 31 2.4.1 Definition and Basic Properties 31 2.4.2 Subrings, Ideals and Quotient Rings 34 2.4.3 Homomorphisms 37 2.4.4
    [Show full text]
  • The Whole Is Less Than the Sum of Its Parts: Constructing More Efficient Lattice-Based Akes?
    The Whole is Less than the Sum of its Parts: Constructing More Efficient Lattice-Based AKEs? Rafael del Pino1;2;3, Vadim Lyubashevsky4, and David Pointcheval3;2;1 1 INRIA, Paris 2 Ecole´ Normale Sup´erieure,Paris 3 CNRS 4 IBM Research Zurich Abstract. Authenticated Key Exchange (AKE) is the backbone of internet security protocols such as TLS and IKE. A recent announcement by standardization bodies calling for a shift to quantum-resilient crypto has resulted in several AKE proposals from the research community. Be- cause AKE can be generically constructed by combining a digital signature scheme with public key encryption (or a KEM), most of these proposals focused on optimizing the known KEMs and left the authentication part to the generic combination with digital signatures. In this paper, we show that by simultaneously considering the secrecy and authenticity require- ments of an AKE, we can construct a scheme that is more secure and with smaller communication complexity than a scheme created by a generic combination of a KEM with a signature scheme. Our improvement uses particular properties of lattice-based encryption and signature schemes and consists of two parts { the first part increases security, whereas the second reduces communication complexity. We first observe that parameters for lattice-based encryption schemes are always set so as to avoid decryption errors, since many observations by the adversary of such failures usually leads to him recovering the secret key. But since one of the requirements of an AKE is that it be forward-secure, the public key must change every time. The intuition is therefore that one can set the parameters of the scheme so as to not care about decryption errors and everything should still remain secure.
    [Show full text]
  • How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE
    How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin∗ Sara Krehbiely Chris Peikertz Abstract We develop secure threshold protocols for two important operations in lattice cryptography, namely, generating a hard lattice Λ together with a “strong” trapdoor, and sampling from a discrete Gaussian distribution over a desired coset of Λ using the trapdoor. These are the central operations of many crypto- graphic schemes: for example, they are exactly the key-generation and signing operations (respectively) for the GPV signature scheme, and they are the public parameter generation and private key extraction operations (respectively) for the GPV IBE. We also provide a protocol for trapdoor delegation, which is used in lattice-based hierarchical IBE schemes. Our work therefore directly transfers all these systems to the threshold setting. Our protocols provide information-theoretic (i.e., statistical) security against adaptive corruptions in the UC framework, and they are private and robust against an optimal number of semi-honest or malicious parties. Our Gaussian sampling protocol is both noninteractive and efficient, assuming either a trusted setup phase (e.g., performed as part of key generation) or a sufficient amount of interactive but offline precomputation, which can be performed before the inputs to the sampling phase are known. ∗Department of Computer Science, Aarhus University. Email: [email protected]. Supported by the Danish National Research Foundation and The National Science Foundation of China (under the grant 61061130540) for the Sino-Danish Center for the Theory of Interactive Computation, within which part of this work was performed; and also from the CFEM research center (supported by the Danish Strategic Research Council).
    [Show full text]
  • Cryptanalysis of Ntrusign Countermeasures
    Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures L´eoDucas and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d'Ulm, 75005 Paris, France. http://www.di.ens.fr/~ducas/ 2 INRIA, France and Tsinghua University, Institute for Advanced Study, China. http://www.di.ens.fr/~pnguyen/ Abstract NTRUSign is the most practical lattice signature scheme. Its basic version was broken by Nguyen and Regev in 2006: one can efficiently recover the secret key from about 400 signatures. However, countermea- sures have been proposed to repair the scheme, such as the perturbation used in NTRUSign standardization proposals, and the deformation pro- posed by Hu et al. at IEEE Trans. Inform. Theory in 2008. These two countermeasures were claimed to prevent the NR attack. Surprisingly, we show that these two claims are incorrect by revisiting the NR gradient- descent attack: the attack is more powerful than previously expected, and actually breaks both countermeasures in practice, e.g. 8,000 signatures suffice to break NTRUSign-251 with one perturbation as submitted to IEEE P1363 in 2003. More precisely, we explain why the Nguyen-Regev algorithm for learning a parallelepiped is heuristically able to learn more complex objects, such as zonotopes and deformed parallelepipeds. 1 Introduction There is growing interest in cryptography based on hard lattice problems (see the survey [22]). The field started with the seminal work of Ajtai [2] back in 1996, and recently got a second wind with Gentry's breakthrough work [7] on fully-homomorphic encryption. It offers asymptotical efficiency, potential resis- tance to quantum computers and new functionalities.
    [Show full text]
  • Choosing Parameters for Ntruencrypt
    Choosing Parameters for NTRUEncrypt Jeff Hoffstein1, Jill Pipher1, John M. Schanck2;3, Joseph H. Silverman1, William Whyte3, and Zhenfei Zhang3 1 Brown University, Providence, USA fjhoff,jpipher,[email protected] 2 University of Waterloo, Waterloo, Canada 3 Security Innovation, Wilmington, USA fjschanck,wwhyte,[email protected] Abstract. We describe a methods for generating parameter sets and calculating security estimates for NTRUEncrypt. Analyses are provided for the standardized product-form parameter sets from IEEE 1363.1-2008 and for the NTRU Challenge parameter sets. 1 Introduction and Notation In this note we will assume some familiarity with the details and notation of NTRUEncrypt. The reader desiring further background should consult standard references such as [4, 5, 12]. The key parameters are summarized in Table 1. Each is, implicitly, a function of the security parameter λ. Primary NTRUEncrypt Parameters N N; q Ring parameters RN;q = Zq[X]=(X − 1). p Message space modulus. d1; d2; d3 Non-zero coefficient counts for product form polynomial terms. dg Non-zero coefficient count for private key component g. dm Message representative Hamming weight constraint. Table 1. NTRUEncrypt uses a ring of convolution polynomials; a polynomial ring parameterized by a prime N and an integer q of the form N RN;q = (Z=qZ)[X]=(X − 1): The subscript will be dropped when discussing generic properties of such rings. We denote multiplication in R by ∗. An NTRUEncrypt public key is a generator for a cyclic R-module of rank 2, and is denoted (1; h). The private key is an element of this module which is \small" with respect to a given norm and is denoted (f; g).
    [Show full text]
  • Choosing Parameters for Ntruencrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H
    Choosing Parameters for NTRUEncrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H. Silverman, William Whyte, Zhenfei Zhang OnBoard Security / Brown University Security Innovation Embedded Business Unit is becoming Onboard Security! §Two sister companies being formed – OnBoard Security: Cryptography, Hardware Roots of Trust and Automotive Security – Security Innovation: Application Security Services and Education §Reasons – Increase strategic focus on core competencies – Unlock latent value – Attract pure-play investors Goal of presentation § Present new parameters as in published paper § Discuss parameter choices at a higher level to explore difference between published approaches – LWE – NTRU – NTRU Prime § Make a mysterious announcement A Lattice! (F,G) (f,g) Symmetric encryption with lattices: The Close Vector Problem Example over integers Lattice Basis B ((f,g), (F,G)) = ((7,1), (2,18)) • Pick m = (-2, 2). • (maximum norm of m < norm of shortest basis vector) • Pick random lattice point 5* (7,1) + 1*(2, 18) = (37, 23) • Add m to get e = (35, 25). 4.6 (f,g) 5 (f,g) + To decrypt: (F,G) 1 (F,G) • e = 4.6*(f,g) + 1.3*(F, G) 1.3 (F,G) … we get this by dividing: B-1 = ((G,-g), (-F, f)).[det(B)] -1. (f,g) • Round to closest lattice point = 5* (7,1) + 1*(2, 18) = (37, 23) • Subtract from e • Recover m = (-2, 2) Lattice-based crypto motivation § If I take E = a*H + b where H is known and a, b are random and “big enough”, then 1. For some size of a and b It is hard to recover a, b (the assumption used in NTRU) 2.
    [Show full text]