Choosing Parameters for Ntruencrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H

Home , ElGamal encryption, NTRUEncrypt, NTRUSign

Choosing Parameters for NTRUEncrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H. Silverman, William Whyte, Zhenfei Zhang OnBoard Security / Brown University Security Innovation Embedded Business Unit is becoming Onboard Security!

§Two sister companies being formed – OnBoard Security: Cryptography, Hardware Roots of Trust and Automotive Security – Security Innovation: Application Security Services and Education §Reasons – Increase strategic focus on core competencies – Unlock latent value – Attract pure-play investors Goal of presentation

§ Present new parameters as in published paper § Discuss parameter choices at a higher level to explore difference between published approaches – LWE – NTRU – NTRU Prime § Make a mysterious announcement A Lattice!

(F,G)

(f,g) Symmetric encryption with lattices: The Close Vector Problem

Example over integers Lattice Basis B ((f,g), (F,G)) = ((7,1), (2,18)) • Pick m = (-2, 2). • (maximum norm of m < norm of shortest basis vector) • Pick random lattice point 5* (7,1) + 1*(2, 18) = (37, 23) • Add m to get e = (35, 25). 4.6 (f,g) 5 (f,g) + To decrypt: (F,G) 1 (F,G) • e = 4.6*(f,g) + 1.3*(F, G) 1.3 (F,G) … we get this by dividing: B-1 = ((G,-g), (-F, f)).[det(B)] -1. (f,g) • Round to closest lattice point = 5* (7,1) + 1*(2, 18) = (37, 23) • Subtract from e • Recover m = (-2, 2) Lattice-based crypto motivation

§ If I take E = a*H + b where H is known and a, b are random and “big enough”, then 1. For some size of a and b It is hard to recover a, b (the assumption used in NTRU) 2. For some larger size of a and b, E is indistinguishable from random (a stronger assumption) § If I take E = a*H + b where H is known and a, b are “small enough”, it may be possible to exploit the fact that E is derived from H to exchange a secret LWE key agreement

§ Publish: H § H = 723

§ A: generate small (aA, bA) § (aA, bA) = (4, 3)

– EA = aAH+bA, send EA – EA = 2895

§ B: generate small (aB, bB) § (aB, bB) = (-2, 5)

– EB = aBH+bB, send EB – EA = -1441

§ A: calculate SA = aA * EB § SA = -5764

– = aA * aB* H + aA * bB

§ B: calculate SB = aB * EA § SB = -5790

– = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement

§ Publish: H § H = 723

§ A: generate small (aA, bA) § (aA, bA) = (4, 3)

– EA = aAH+bA, send EA – EA = 2895

§ B: generate small (aB, bB) § (aB, bB) = (-2, 5)

– EB = aBH+bB, send EB – EA = -1441

§ A: calculate SA = aA * EB § SA = -5764

– = aA * aB* H + aA * bB

§ B: calculate SB = aB * EA § SB = -5790

– = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement

§ Publish: H § H = 723, q = 1024

§ A: generate small (aA, bA) § (aA, bA) = (4, 3)

– EA = aAH+bA, send EA – EA = 847

§ B: generate small (aB, bB) § (aB, bB) = (-2, 5)

– EB = aBH+bB, send EB – EA = 607

§ A: calculate SA = aA * EB § SA = 380

– = aA * aB* H + aA * bB

§ B: calculate SB = aB * EA § SB = 354

– = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement in a ring

§ Publish: H, R § R = any ring, e.g. § A: generate small (aA, bA) ℤ � /[� − 1] or ℤ � /[� + 1] – EA = aAH+bA, send EA – Choice of ring is § B: generate small (aB, bB) important, see later

– EB = aBH+bB, send EB § H, aA, bA, aB, bB = polynomials in the ring § A: calculate SA = aA * EB

– = aA * aB* H + aA * bB § For small enough a, b relative to q, top b § B: calculate SB = aB * EA

– aA * aB* H + aA * bB

§ Top bits of each coefficient of SA, SB are the same If components are small enough and q is large enough LWE Encryption

§ Public parameter: A in ring mod qPrivate key: s, e0, small § Public key: A, B = s*A + e0 § Encrypt n-bit message m: Publish – U = r*A + e1 – V = r*B + e2 + (m * q/2) § (Note, encrypter doesn’t know s so doesn’t know relationship between A and B)

§ Decrypt: Calculate V – s*U = – [r*B + e2 + (m * q/2)] - s*r*A - s*e1 = – s*r*A + r*e0 + e2 + (m * q/2) - s*r*A - s*e1 = – r*e0 + e2 - s*e1 + (m * q/2) – [small] [top bits of the coefficients]

If components are small enough and q is large enough NTRU Encryption – trapdoor in H

§ Review: small * random + small is hard with high enough N § Small can be removed given a “clue” in R-LWE encryption § Can we embed a trapdoor in H itself? § Yes, with an additional assumption: – NTRU OBSERVATION (Properties of distribution): Given a collection of {f} small in R, then {f-1} looks uniformly randomly distributed – NTRU ASSUMPTION (Inversion version): Given h = g * f-1 in R, it is hard to recover g and f – NTRU ASSUMPTION (Decisional version): Given h in R, it is hard to tell whether it was randomly generated or generated as g * f-1 § Security of NTRU Encryption rests on the Inversion version of this problem Raw NTRUEncrypt Operations

§ Key Generation N – Generate f, g, “small” polynomials in Zq[X]/(X -1). -1 -1 – Public key h = p*f *g mod q; private key = (f, fp = f mod p). § Encrypt (Raw operation) – Encode message as “small” polynomial m. – Generate “small” random polynomial r – Ciphertext e = r*h + m mod q. § Decrypt (Raw operation) – Set a = f*e mod q. § “mod q” = in range [A, A+q-1].

– Set m = fp * a mod p. Why Decryption Works

§ a = f * e (mod q) = f * (r*h + m) (mod q) = f * (r*p*g*f-1 + m) (mod q) = p*r*g + f*m (mod q) since f*Fq = 1 (mod q) § All the components are small, so this equality holds over the integers, not just mod q – If components are small enough and q is large enough § So – a mod p = f*m mod p

– a * f-1 mod = f-1*f*m mod p = m mod p = m. NTRUEncrypt v Ring-LWE 15

§ NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups expire 2021 – Some variants are not CCA-2; public keys cannot be reused – CCA-2; public keys can be long-term and reused – Ring Z[X]/XN+1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRU history § NTRUEncrypt proposed 1996 – Hoffstein, Pipher, Silverman (Brown University) – Should perhaps be called HPS… § Not originally realized to be lattice based! Developed at same time as Ajtai, etc § Published 1998 – Best attacks: lattice reduction or meet-in-the-middle / brute force § NTRUSign proposed 2001 – Not zero-knowledge § 2006-2007: “Hybrid attack” (Howgrave-Graham) combines lattice reduction and meet-in- the-middle – “80-bit secure” parameter sets give 64 bits of security against this attack – Revised parameter sets proposed § 2008: IEEE standard 1363.1 – NTRUEncrypt § 2010: X9 standard X9.98 – NTRUEncrypt CPA / CCA / Key reusability

§ Raw NTRU is not CPA-secure – Leaks m(1) for known r(1) § Use NAEP to provide CPA and CCA-2 security – Similar to OAEP – Concatenate message with random “salt” – Hash to generate r – Hash (r *h) to generate mask – m’ = message + mask mod p (XOR or similar) – e = r*h + m’ – On decryption, recover m and salt and repeat encryption; discard if result is not equal to received ciphertext § Provides CCA2 security if decryption failure probability is negligible Decryption failures

§ Say a = p*r*g + f*m Distributions of a 2176 2048 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 then at least one coefficient of a is 1536 1408 1280 reduced mod q on decryption 1152 1024 896 § This leads to the resulting value for 768 640 -1 512 m being off by some rotation of (f 384 256 mod p) * q mod p 128 0 -3 7 17 27 37 47 57 67 Decryption failures Distributions of a 2176 2048 1920 1792 1664 1536 1408 1280 § Say a = p*r*g + f*m 1152 1024 896 768 640 § If maxCoeff(a) - minCoeff(a) ³ q 512 384 256 then at least one coefficient of a is 128 0 reduced mod q on decryption -3 7 17 27 37 47 57 67 Distributions of a

2176 § This leads to the resulting value for 2048 1920 -1 1792 m being off by some rotation of (f 1664 1536 1408 mod p) * q mod p 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 2176 2048 Distributions of a 1920 1792 1664 1536 Decryption failures 1408 1280 1152 1024 896 768 640 512 384 § Say a = p*r*g + f*m 256 Distributions of a 128 21760 2048-3 7 17 27 37 47 57 67 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 1536 then at least one coefficient of a is 1408 1280 1152 reduced mod q on decryption 1024 896 768 640 512 § This leads to the resulting value for 384 256 -1 128 Distributions of a m being off by some rotation of (f 0 2176-3 7 17 27 37 47 57 67 mod p) * q mod p 2048 1920 1792 1664 1536 1408 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 Philosophies of parameter choice

§ Ring parameters: N, q, p § Alternative ring moduli: – p, q must generate coprime ideals of – Ring Z [X]/(XN+1) with N a power of 2 N q the ring Zq[X]/(X -1). § Irreducible, so every f is invertible – Set p = 3, set q = a power of 2 § N a power of 2 allows for fast calculations using number theory – Small p allows lower decryption errors, transformations q = power of 2 allows fast reduction § Used in many LWE and other non- mod q NTRU lattice-based cryptosystems N § Ring modulus factorization: – Ring Zq[X]/(X -X-1) – actually a field N § Recommended by NTRU Prime paper – Ring Zq[X]/(X -1) was originally chosen for performance reasons § The attack addressed by using a field is highly speculative, even in the “attacks – No particular reason to change it only get better” model N § Our belief is that Ring Zq[X]/(X -1) – Factorization of (XN-1) mod 2 affects improves performance without creating likelihood of finding invertible f on any security weaknesses keygen Fast multiplication, NTRU style

§ Express f (resp. r) as a series of indices: locations of the df +1s, locations of the df -1s – Add together the rotations of h (resp. e) corresponding to the non-zero indices § Only about df adds rather than N – Can be further improved by fitting § But is hard to make constant time § Product form: even more so – f = f1 * f2 + f3, multiply using indices as before – In principle can reduce df to its square root and get the same thickness of f ==> same security against lattice attacks – In practice speedup is about a factor of 3 Philosophy behind these parameters

§ Resist all known attacks (obviously) § Speed and size rather than theoretical security properties § Best average speed rather than constant-time private key operations

§ In later slides we’ll discuss how we might change parameter sets to meet constant-time requirement Lattice reduction attacks

§ Our understanding of lattice reduction has improved significantly since 2009 when the last set of NTRU parameters was published § Therefore we are able to reduce sizes

§ (Note, various other attacks published that are subexponential asymptotically but don’t affect security estimates for practical parameter sizes) Previous approach (1996-2009): lots of experiments

§ The lower a and c, the faster reduction algorithms run. § Run experiments at a and c lower than those obtained for our parameter sets. – a = 0.8, c = 2.6 § Effort to break, in bits, goes as 0.4245 N – 3.440 – Derived from 80 bits ~ 1012 MIPS-years § Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.(THE DETAILS) § Plots opposite are for c = 1.7 § Figures obtained using Victor Shoup’s NTL, experiments run by Phil Hirschhorn.

§ Zero-Forcing: adversary guesses patterns that appear in f or r to reduce lattice dimension – Takes advantage of rotational symmetry of NTRU lattice. Lattice reduction today

Conjecture in Kuo et al. [CHES 2011] using GTX-480 GPU

Our Experimental Results Records of SVP Challenge

From http://eprint.iacr.org/2016/146 Hybrid attack

§ Do lattice reduction in the middle § Then brute-force search on the unreduced space § Because the keys are very thin, this brute-force search is effective – But its effectiveness and expected running times can be calculated without concern that there will be significant algorithmic improvements § Meanwhile, lattice reduction on the middle is against a random lattice – Easier to model than against a lattice with an unusually short vector Minimum thickness of m’

§ The message representative m’ is a masked version of the message – Mask is randomly generated § M’ could potentially be unbalanced – have unexpectedly large numbers of 1s, -1s, or 0s – This would be (partially) leaked via m(1) and could let an attacker know that a particular ciphertext was easier to attack § New parameter sets have maximum number of each of 0, 1, -1 in m’ and regenerate encrypted message with different salt if that number is exceeded – No practical effect on speed, chance of re-encryption is low And yes, we messed up… “salt” size

§ Salt size was set at k bits for k bit security § Salt size governs CPA security – an attacker who can guess the salt can distinguish between encryptions of 0 and 1 § Attacker needs 2k guesses so this should have been okay… – ... But of course a quantum attacker needs only 2k/2 guesses § So new parameters set salt length = 2k. Final parameter sets

2009 à … if you want no decryption failures or smaller public keys/ciphertexts … if you want constant time private key operations

§ You can still take r to be product form § But take f = trinary (not product form) § Ongoing topic of research Big Announcement

§Interns! [email protected] §Also… Announcement

§Interns! [email protected] §NTRUEncrypt Patent Free shortly

Patent Number Public key cryptosystem method and apparatus 6,081,597 Ring-based public key cryptosystem method 6,298,137 Secure user identification based on ring homomorphisms 6,959,085 Speed enhanced cryptographic method and apparatus 7,031,468 Biggest Announcement

§Interns! [email protected] §NTRUEncrypt Patent Free immediately §OnBoard Security is prepared to sell the pqNTRUSign IP to a global distribution partner.

SESSION ID: CRYP-T09

Encoding-Free ElGamal-type Encryption Schemes on Elliptic Curves

Marc Joye1 and BenoˆıtLibert2

1NXP Semiconductors (USA)

2CNRS & ENS de Lyon (France) Public-Key Encryption

• Two matching keys: the public key and the private key

Alice Bob

m → → C −−−−−−−−−−−−−−−−−→ C → → m

2 Public-Key Encryption

• Two matching keys: the public key and the private key

Alice Bob

m → → C −−−−−−−−−−−−−−−−−→ C → → m

2 [Textbook] ElGamal Encryption

:= ∗ = hgi Alice G Fp Bob ∗ x message m ∈ Fp y = g mod p pk = y and sk = x random r ∈ {0,..., p − 1} ( r c = g mod p (c ,c ) 1 −−−−−−−−−−−−−−−−−→1 2 r c2 = m · y mod p −x m = c2 · (c1) mod p

3 Decision Diﬃe-Hellman Assumption

Theorem ElGamal encryption is semantically secure against chosen-plaintext attacks under the Decision Diﬃe-Hellman (DDH) assumption

Deﬁnition (DDH Assumption — informally)

Let G = hgi of order q. No eﬃcient algorithm can distinguish the distributions

a b ab a b c g, g , g , g and g, g , g , g where a, b, c ←R {0,..., q − 1}

4 ElGamal Encryption

∗ G := Fp = hgi := hgi of prime order q Alice G Bob x message m ∈ G y = g mod p pk = y and sk = x random r ∈ {0,..., q − 1} ( r c = g mod p (c ,c ) 1 −−−−−−−−−−−−−−−−−→1 2 r c2 = m · y mod p −x m = c2 · (c1) mod p

5 Generalized ElGamal Encryption

• ElGamal encryption works in any group G in which the DDH assumption holds

• Elliptic curve cryptography • invented [independently] by Neil Koblitz and Victor Miller in 1985 • useful for key exchange, encryption, digital signature, . . . • main advantage: smaller key sizes gains in speed and memory

6 Elliptic Curve ElGamal Encryption

:= hPi of prime order q Alice G Bob message M ∈ G Y = [x]P pk = Y and sk = x random r ∈ {0,..., q − 1} ( C = [r]P (C ,C ) 1 −−−−−−−−−−−−−−−−−→1 2 C2 = M + [r]Y M = C2 − [x]C1

7 Message Encoding

• For elliptic-curve ElGamal, G := hPi ⊆ E(Fp) • i.e., order q cyclic subgroup of points on an elliptic curve, generated by P

• Elliptic curve E(Fp) Alice 2 3 message M ∈ G (x, y) ∈ Fp × Fp | y = x + ax + b

plus the ‘point at inﬁnity’ O

Message Encoding

Find an injective encoding function mapping a bit-string to hPi ⊆ E(Fp)

8 Message Encoding

• For elliptic-curve ElGamal, G := hPi ⊆ E(Fp) • i.e., order q cyclic subgroup of points on an elliptic curve, generated by P

• Elliptic curve E(Fp) Alice 2 3 message M ∈ G (x, y) ∈ Fp × Fp | y = x + ax + b

plus the ‘point at inﬁnity’ O

Message Encoding

Find an injective encoding function mapping a bit-string to hPi ⊆ E(Fp)

8 Some Solutions. . .

Message space is M = {0, 1}`

1 Use certain ‘special’ elliptic curves • e.g., Fouque-Joux-Tibouchi injective encoding • valid for elliptic curves with a point of order 2 • no injective encoding is known for prime-order elliptic curves 2 Encode messages in the scalar • message m ∈ M ⊆ Z/qZ is encoded as M = [m]P • decryption requires the computation of a discrete log • limited to small message spaces ` 3 Introduce a hash function h: G → {0, 1} • second component of the ciphertext is deﬁned as c2 = m ⊕ h([r]Y ) • security analysis assumes the ROM (or extra assumptions on the hash function)

9 Some Solutions. . .

Message space is M = {0, 1}`

9 Some Solutions. . .

Message space is M = {0, 1}`

9 Virat’s Cryptosystem

• Elliptic curve is deﬁned over the ring of dual numbers of Fp + Encoding is very eﬃcient • no need to represent messages as points on an elliptic curve − Disadvantages • ciphertext expansion of3 ÷ 1 in the best case (using a compressed representation) • only provides one-wayness [in particular, is not semantically secure]

10 Partial Homomorphism Property

Deﬁnition An encryption scheme is partially homomorphic w.r.t. the ? operator if given the encryption of m anyone can compute the encryption of m0 = m ? K for a chosen value K

Example: Hash ElGamal encryption is partially homomorphic w.r.t. xor

11 Our Contribution

• ElGamal encryption over elliptic curves enjoying the advantages of the known variants Like EC ElGamal • supporting long messages • 2 ÷ 1 ciphertext expansion (using compressed representation) Like hash ElGamal • partially homomorphic • w.r.t. addition (or multiplication) modulo p • Semantically secure • Extension with chosen-ciphertext security

12 Class Function on Elliptic Curves (1/2)

2 3 Elliptic curve E/Fp : y = x + ax + b 2 3 2 3 O or in projective form: E/Fp : Y Z = X + aXZ + bZ and O = (0 : 1 : 0)

2 • Fp = Z/pZ ⊂ Z/p Z ( 2 O 7→ O Ψ: E(Fp) → E(Z/p Z), (x, y) 7→ (x, y + ... p) 2 • E1(Z/p Z) = {(βp : 1 : 0) | 0 ≤ β ≤ p − 1}

13 Class Function on Elliptic Curves (2/2)

• Let P ∈ E(Fp) and let q = ordE (P) 2 2 • Deﬁne U = (p : 1 : 0) ∈ E1(Z/p Z) and V = [p]Ψ(P) ∈ E(Z/p Z) ˆ 2 • Consider G = hPi ⊆ E(Fp) and G = hU,V i ⊆ E(Z/p Z)

Deﬁnition (Class Function)

Any element Q ∈ Gˆ can uniquely be written as

Q = [β]U + [α]V for some α ∈ Z/qZ and β ∈ Z/pZ

Integer β is the class of Q β = [[Q]] Remark: Computing the class is easy

14 New Cryptosystem — Additive Variant

hPi ⊆ E( ), of prime order q Alice Fp Bob message m ∈ {0,..., p − 1} Y = [x]P pk = Y and sk = x random r ∈ {0,..., q − 1} ( C = [r]P and C = [r]Y (C ,c ) 1 2 −−−−−−−−−−−−−−−−−→1 2 c2 = m + [[Ψ(C2)]] (mod p) m = c2 − [[Ψ([x]C1)]] (mod p)

15 New Cryptosystem — Multiplicative Variant

hPi ⊆ E( ), of prime order q Alice Fp Bob message m ∈ {1,..., p − 1} Y = [x]P pk = Y and sk = x random r ∈ {0,..., q − 1} ( C = [r]P and C = [r]Y (C ,c ) 1 2 −−−−−−−−−−−−−−−−−→1 2 c2 = m · [[Ψ(C2)]] (mod p) m = c2/[[Ψ([x]C1)]] (mod p)

16 Complexity Assumptions

Deﬁnition (Class-CDH Assumption — informally)

Let G = hPi ⊆ E(Fp) of order q. Given P,[a]P, and [b]P, compute

[[[ab]P]]

Deﬁnition (Class-DDH Assumption — informally)

Let G = hPi ⊆ E(Fp) of order q. No eﬃcient algorithm can distinguish the distributions P, [a]P, [b]P, [[[ab]P]] and P, [a]P, [b]P,β where a, b ←R Zq and β ←R Zp

17 Complexity Assumptions

Deﬁnition (Class-CDH Assumption — informally)

Let G = hPi ⊆ E(Fp) of order q. Given P,[a]P, and [b]P, compute

[[[ab]P]]

Deﬁnition (Class-DDH Assumption — informally)

Let G = hPi ⊆ E(Fp) of order q. No eﬃcient algorithm can distinguish the distributions P, [a]P, [b]P, [[[ab]P]] and P, [a]P, [b]P,β where a, b ←R Zq and β ←R Zp

17 Security Analysis

• The proposed cryptosystems are • one-way under the Class-CDH assumption • semantically secure under the Class-DDH assumption • Extension: Chosen-ciphertext secure construction • under the Class-DDH assumption • using a collision-resistant chameleon hash function [Cash-Kiltz-Shoup, Eurocrypt 2008]

Open Problem Establish the relations between the Class-DH problems and the regular DH problems

18 Summary

• New cryptosystems to encrypt over elliptic curves • no eﬃciency loss compared to classical ElGamal encryption • partially homomorphic • compatible with existing standards

• No need to represent the messages being encrypted as points on an elliptic curve

19 Comments/Questions?