Choosing Parameters for NTRUEncrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H. Silverman, William Whyte, Zhenfei Zhang OnBoard Security / Brown University Security Innovation Embedded Business Unit is becoming Onboard Security!
§Two sister companies being formed – OnBoard Security: Cryptography, Hardware Roots of Trust and Automotive Security – Security Innovation: Application Security Services and Education §Reasons – Increase strategic focus on core competencies – Unlock latent value – Attract pure-play investors Goal of presentation
§ Present new parameters as in published paper § Discuss parameter choices at a higher level to explore difference between published approaches – LWE – NTRU – NTRU Prime § Make a mysterious announcement A Lattice!
(F,G)
(f,g) Symmetric encryption with lattices: The Close Vector Problem
Example over integers Lattice Basis B ((f,g), (F,G)) = ((7,1), (2,18)) • Pick m = (-2, 2). • (maximum norm of m < norm of shortest basis vector) • Pick random lattice point 5* (7,1) + 1*(2, 18) = (37, 23) • Add m to get e = (35, 25). 4.6 (f,g) 5 (f,g) + To decrypt: (F,G) 1 (F,G) • e = 4.6*(f,g) + 1.3*(F, G) 1.3 (F,G) … we get this by dividing: B-1 = ((G,-g), (-F, f)).[det(B)] -1. (f,g) • Round to closest lattice point = 5* (7,1) + 1*(2, 18) = (37, 23) • Subtract from e • Recover m = (-2, 2) Lattice-based crypto motivation
§ If I take E = a*H + b where H is known and a, b are random and “big enough”, then 1. For some size of a and b It is hard to recover a, b (the assumption used in NTRU) 2. For some larger size of a and b, E is indistinguishable from random (a stronger assumption) § If I take E = a*H + b where H is known and a, b are “small enough”, it may be possible to exploit the fact that E is derived from H to exchange a secret LWE key agreement
§ Publish: H § H = 723
§ A: generate small (aA, bA) § (aA, bA) = (4, 3)
– EA = aAH+bA, send EA – EA = 2895
§ B: generate small (aB, bB) § (aB, bB) = (-2, 5)
– EB = aBH+bB, send EB – EA = -1441
§ A: calculate SA = aA * EB § SA = -5764
– = aA * aB* H + aA * bB
§ B: calculate SB = aB * EA § SB = -5790
– = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement
§ Publish: H § H = 723
§ A: generate small (aA, bA) § (aA, bA) = (4, 3)
– EA = aAH+bA, send EA – EA = 2895
§ B: generate small (aB, bB) § (aB, bB) = (-2, 5)
– EB = aBH+bB, send EB – EA = -1441
§ A: calculate SA = aA * EB § SA = -5764
– = aA * aB* H + aA * bB
§ B: calculate SB = aB * EA § SB = -5790
– = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement
§ Publish: H § H = 723, q = 1024
§ A: generate small (aA, bA) § (aA, bA) = (4, 3)
– EA = aAH+bA, send EA – EA = 847
§ B: generate small (aB, bB) § (aB, bB) = (-2, 5)
– EB = aBH+bB, send EB – EA = 607
§ A: calculate SA = aA * EB § SA = 380
– = aA * aB* H + aA * bB
§ B: calculate SB = aB * EA § SB = 354
– = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement in a ring
§ Publish: H, R § R = any ring, e.g. § A: generate small (aA, bA) ℤ � /[� − 1] or ℤ � /[� + 1] – EA = aAH+bA, send EA – Choice of ring is § B: generate small (aB, bB) important, see later
– EB = aBH+bB, send EB § H, aA, bA, aB, bB = polynomials in the ring § A: calculate SA = aA * EB
– = aA * aB* H + aA * bB § For small enough a, b relative to q, top b § B: calculate SB = aB * EA
– aA * aB* H + aA * bB
§ Top bits of each coefficient of SA, SB are the same If components are small enough and q is large enough LWE Encryption
§ Public parameter: A in ring mod qPrivate key: s, e0, small § Public key: A, B = s*A + e0 § Encrypt n-bit message m: Publish – U = r*A + e1 – V = r*B + e2 + (m * q/2) § (Note, encrypter doesn’t know s so doesn’t know relationship between A and B)
§ Decrypt: Calculate V – s*U = – [r*B + e2 + (m * q/2)] - s*r*A - s*e1 = – s*r*A + r*e0 + e2 + (m * q/2) - s*r*A - s*e1 = – r*e0 + e2 - s*e1 + (m * q/2) – [small] [top bits of the coefficients]
If components are small enough and q is large enough NTRU Encryption – trapdoor in H
§ Review: small * random + small is hard with high enough N § Small can be removed given a “clue” in R-LWE encryption § Can we embed a trapdoor in H itself? § Yes, with an additional assumption: – NTRU OBSERVATION (Properties of distribution): Given a collection of {f} small in R, then {f-1} looks uniformly randomly distributed – NTRU ASSUMPTION (Inversion version): Given h = g * f-1 in R, it is hard to recover g and f – NTRU ASSUMPTION (Decisional version): Given h in R, it is hard to tell whether it was randomly generated or generated as g * f-1 § Security of NTRU Encryption rests on the Inversion version of this problem Raw NTRUEncrypt Operations
§ Key Generation N – Generate f, g, “small” polynomials in Zq[X]/(X -1). -1 -1 – Public key h = p*f *g mod q; private key = (f, fp = f mod p). § Encrypt (Raw operation) – Encode message as “small” polynomial m. – Generate “small” random polynomial r – Ciphertext e = r*h + m mod q. § Decrypt (Raw operation) – Set a = f*e mod q. § “mod q” = in range [A, A+q-1].
– Set m = fp * a mod p. Why Decryption Works
§ a = f * e (mod q) = f * (r*h + m) (mod q) = f * (r*p*g*f-1 + m) (mod q) = p*r*g + f*m (mod q) since f*Fq = 1 (mod q) § All the components are small, so this equality holds over the integers, not just mod q – If components are small enough and q is large enough § So – a mod p = f*m mod p
– a * f-1 mod = f-1*f*m mod p = m mod p = m. NTRUEncrypt v Ring-LWE 15
§ NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups – Some variants are not CCA-2; public expire 2021 keys cannot be reused – CCA-2; public keys can be long-term N and reused – Ring Z[X]/X +1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRUEncrypt v Ring-LWE: fundamental v optional differences 16
§ NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups expire 2021 – Some variants are not CCA-2; public keys cannot be reused – CCA-2; public keys can be long-term and reused – Ring Z[X]/XN+1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRU history § NTRUEncrypt proposed 1996 – Hoffstein, Pipher, Silverman (Brown University) – Should perhaps be called HPS… § Not originally realized to be lattice based! Developed at same time as Ajtai, etc § Published 1998 – Best attacks: lattice reduction or meet-in-the-middle / brute force § NTRUSign proposed 2001 – Not zero-knowledge § 2006-2007: “Hybrid attack” (Howgrave-Graham) combines lattice reduction and meet-in- the-middle – “80-bit secure” parameter sets give 64 bits of security against this attack – Revised parameter sets proposed § 2008: IEEE standard 1363.1 – NTRUEncrypt § 2010: X9 standard X9.98 – NTRUEncrypt CPA / CCA / Key reusability
§ Raw NTRU is not CPA-secure – Leaks m(1) for known r(1) § Use NAEP to provide CPA and CCA-2 security – Similar to OAEP – Concatenate message with random “salt” – Hash to generate r – Hash (r *h) to generate mask – m’ = message + mask mod p (XOR or similar) – e = r*h + m’ – On decryption, recover m and salt and repeat encryption; discard if result is not equal to received ciphertext § Provides CCA2 security if decryption failure probability is negligible Decryption failures
§ Say a = p*r*g + f*m Distributions of a 2176 2048 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 then at least one coefficient of a is 1536 1408 1280 reduced mod q on decryption 1152 1024 896 § This leads to the resulting value for 768 640 -1 512 m being off by some rotation of (f 384 256 mod p) * q mod p 128 0 -3 7 17 27 37 47 57 67 Decryption failures Distributions of a 2176 2048 1920 1792 1664 1536 1408 1280 § Say a = p*r*g + f*m 1152 1024 896 768 640 § If maxCoeff(a) - minCoeff(a) ³ q 512 384 256 then at least one coefficient of a is 128 0 reduced mod q on decryption -3 7 17 27 37 47 57 67 Distributions of a
2176 § This leads to the resulting value for 2048 1920 -1 1792 m being off by some rotation of (f 1664 1536 1408 mod p) * q mod p 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 2176 2048 Distributions of a 1920 1792 1664 1536 Decryption failures 1408 1280 1152 1024 896 768 640 512 384 § Say a = p*r*g + f*m 256 Distributions of a 128 21760 2048-3 7 17 27 37 47 57 67 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 1536 then at least one coefficient of a is 1408 1280 1152 reduced mod q on decryption 1024 896 768 640 512 § This leads to the resulting value for 384 256 -1 128 Distributions of a m being off by some rotation of (f 0 2176-3 7 17 27 37 47 57 67 mod p) * q mod p 2048 1920 1792 1664 1536 1408 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 Philosophies of parameter choice
§ Ring parameters: N, q, p § Alternative ring moduli: – p, q must generate coprime ideals of – Ring Z [X]/(XN+1) with N a power of 2 N q the ring Zq[X]/(X -1). § Irreducible, so every f is invertible – Set p = 3, set q = a power of 2 § N a power of 2 allows for fast calculations using number theory – Small p allows lower decryption errors, transformations q = power of 2 allows fast reduction § Used in many LWE and other non- mod q NTRU lattice-based cryptosystems N § Ring modulus factorization: – Ring Zq[X]/(X -X-1) – actually a field N § Recommended by NTRU Prime paper – Ring Zq[X]/(X -1) was originally chosen for performance reasons § The attack addressed by using a field is highly speculative, even in the “attacks – No particular reason to change it only get better” model N § Our belief is that Ring Zq[X]/(X -1) – Factorization of (XN-1) mod 2 affects improves performance without creating likelihood of finding invertible f on any security weaknesses keygen Fast multiplication, NTRU style
§ Express f (resp. r) as a series of indices: locations of the df +1s, locations of the df -1s – Add together the rotations of h (resp. e) corresponding to the non-zero indices § Only about df adds rather than N – Can be further improved by fitting § But is hard to make constant time § Product form: even more so – f = f1 * f2 + f3, multiply using indices as before – In principle can reduce df to its square root and get the same thickness of f ==> same security against lattice attacks – In practice speedup is about a factor of 3 Philosophy behind these parameters
§ Resist all known attacks (obviously) § Speed and size rather than theoretical security properties § Best average speed rather than constant-time private key operations
§ In later slides we’ll discuss how we might change parameter sets to meet constant-time requirement Lattice reduction attacks
§ Our understanding of lattice reduction has improved significantly since 2009 when the last set of NTRU parameters was published § Therefore we are able to reduce sizes
§ (Note, various other attacks published that are subexponential asymptotically but don’t affect security estimates for practical parameter sizes) Previous approach (1996-2009): lots of experiments
§ The lower a and c, the faster reduction algorithms run. § Run experiments at a and c lower than those obtained for our parameter sets. – a = 0.8, c = 2.6 § Effort to break, in bits, goes as 0.4245 N – 3.440 – Derived from 80 bits ~ 1012 MIPS-years § Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.(THE DETAILS) § Plots opposite are for c = 1.7 § Figures obtained using Victor Shoup’s NTL, experiments run by Phil Hirschhorn.
§ Zero-Forcing: adversary guesses patterns that appear in f or r to reduce lattice dimension – Takes advantage of rotational symmetry of NTRU lattice. Lattice reduction today
Conjecture in Kuo et al. [CHES 2011] using GTX-480 GPU
Our Experimental Results Records of SVP Challenge
From http://eprint.iacr.org/2016/146 Hybrid attack
§ Do lattice reduction in the middle § Then brute-force search on the unreduced space § Because the keys are very thin, this brute-force search is effective – But its effectiveness and expected running times can be calculated without concern that there will be significant algorithmic improvements § Meanwhile, lattice reduction on the middle is against a random lattice – Easier to model than against a lattice with an unusually short vector Minimum thickness of m’
§ The message representative m’ is a masked version of the message – Mask is randomly generated § M’ could potentially be unbalanced – have unexpectedly large numbers of 1s, -1s, or 0s – This would be (partially) leaked via m(1) and could let an attacker know that a particular ciphertext was easier to attack § New parameter sets have maximum number of each of 0, 1, -1 in m’ and regenerate encrypted message with different salt if that number is exceeded – No practical effect on speed, chance of re-encryption is low And yes, we messed up… “salt” size
§ Salt size was set at k bits for k bit security § Salt size governs CPA security – an attacker who can guess the salt can distinguish between encryptions of 0 and 1 § Attacker needs 2k guesses so this should have been okay… – ... But of course a quantum attacker needs only 2k/2 guesses § So new parameters set salt length = 2k. Final parameter sets
2009 à … if you want no decryption failures or smaller public keys/ciphertexts … if you want constant time private key operations
§ You can still take r to be product form § But take f = trinary (not product form) § Ongoing topic of research Big Announcement
§Interns! [email protected] §Also… Announcement
§Interns! [email protected] §NTRUEncrypt Patent Free shortly
Patent Number Public key cryptosystem method and apparatus 6,081,597 Ring-based public key cryptosystem method 6,298,137 Secure user identification based on ring homomorphisms 6,959,085 Speed enhanced cryptographic method and apparatus 7,031,468 Biggest Announcement
§Interns! [email protected] §NTRUEncrypt Patent Free immediately §OnBoard Security is prepared to sell the pqNTRUSign IP to a global distribution partner.
SESSION ID: CRYP-T09
Encoding-Free ElGamal-type Encryption Schemes on Elliptic Curves
Marc Joye1 and BenoˆıtLibert2
1NXP Semiconductors (USA)
2CNRS & ENS de Lyon (France) Public-Key Encryption
• Two matching keys: the public key and the private key
Alice Bob
m → → C −−−−−−−−−−−−−−−−−→ C → → m
2 Public-Key Encryption
• Two matching keys: the public key and the private key
Alice Bob
m → → C −−−−−−−−−−−−−−−−−→ C → → m
2 [Textbook] ElGamal Encryption
:= ∗ = hgi Alice G Fp Bob ∗ x message m ∈ Fp y = g mod p pk = y and sk = x random r ∈ {0,..., p − 1} ( r c = g mod p (c ,c ) 1 −−−−−−−−−−−−−−−−−→1 2 r c2 = m · y mod p −x m = c2 · (c1) mod p
3 Decision Diffie-Hellman Assumption
Theorem ElGamal encryption is semantically secure against chosen-plaintext attacks under the Decision Diffie-Hellman (DDH) assumption
Definition (DDH Assumption — informally)
Let G = hgi of order q. No efficient algorithm can distinguish the distributions