Ntrucipher-Lattice Based Secret Key Encryption
Total Page:16
File Type:pdf, Size:1020Kb
NTRUCipher-Lattice Based Secret Key Encryption Maheswara Rao Valluri School of Mathematical and Computing Sciences Fiji National University, P.O.Box:7222 Derrick Campus, Suva, Fiji Island [email protected] Abstract—NTRU cryptosystem has allowed designing a over finite fields. Most of the promising candidates of the range of cryptographic schemes due to its flexibility and effi- NTRU cryptosystems are NTRUEncrypt [8] and NTRUSign ciency. Although NTRU cryptosystem was introduced nearly [9] which are resistance to the Shor’s algorithm [14] on two decades ago, it has not yet received any attention like designing a secret key encryption. In this paper, we propose a quantum computers. Damien Stehle et al. proposed a prov- secret key encryption over NTRU lattices, named as NTRUCi- able security version of the NTRU public key cryptosystem n pher. This NTRUCipher is designed using modification of the over the ring, R = Zq[x]/(x + 1), where n is a power NTRU public key encryption. We analyze this cipher efficiency of 2 and q is a prime, which provides encryption [5,6] and and the space complexity with respect to security aspects, digital signature [6]. There is still scope to work further and also show that the NTRUCipher is secured under the indistinguishability chosen plaintext attack. on their contribution in terms of setting up a specific Key words - NTRUCipher; multiple transmission attack; security parameters. Recently, Daniel J Bernstein et al. product form polynomials; secret key encryption. proposed another variant of the NTRU, named as NTRU Prime [4], over the ring, R = Z [x]/(xn x 1), where q − − I. INTRODUCTION n is a prime and q is a power of 2. In this work, we propose lattice based secret key encryption over NTRU Cryptosystem is classified as the secret key cryptosys- lattices, named as NTRUCipher. The framework of the tem (symmetric key cryptosystem) and public key cryp- encryption and decryption is the same as NTRUEncrypt [8] tosystem (asymmetric cryptosystem) based on nature of and the decryption is a probabilistic like the NTRUEncrypt cryptographic key functions and properties. The secret key [8]. Furthermore, we prove the NTRUCipher is secured cryptosystem could be categorized as the stream cipher and under the indistinguishability chosen plaintext attack (IND- block cipher based on size of the secret key, plaintext and CPA), and analyze efficiency and the space complexity with ciphertext. The block ciphers are the most influential crypto- respect to security aspects. graphic primitives in designing cryptographic schemes such The paper is organized as follows: In Section II, we as encryptions, hash functions, and message authentication recall the definition of a secret key encryption and adversary codes. In the secret key encryption, communication parties, model. Section III presents truncated polynomial rings. In a sender and receiver share and use a common key, as the Section IV, we propose the NTRUCipher - lattice based secret key, whereas in the public key cryptosystem both secret key encryption and recommend parameters for the the sender and receiver contain their own secret key and cipher. In Section V, we analyze the NTRUCipher with associated public key. The secret key cryptosystem provides respect to performance, security aspects, and space and cryptographic services such as confidentiality, integrity and arXiv:1710.01928v2 [cs.CR] 6 Oct 2017 time complexity. Finally, we provide conclusion remarks authentication of a message. The strength of the secret key in Section VI. encryption relies on two parameters: strength of algorithm and length of the secret key. The well known secret key block ciphers are the Advanced Encryption Standard (AES) II. PRELIMINARIES [10], RC5 [15], Blowfish [3], Data Encryption Standard In this Section, we recall the formal definition of a secret (DES) [2], and International data encryption algorithm key encryption and its security notations. (IDEA) [17]. These ciphers are built using Feistel net- work except IDEA for encryption and decryption. The Feistel network [7] was designed using XOR operator and A. Notations Permutation-Box (P-Box) and Substitution-Box (S-Box). A real valued function ǫ(c) < c−λ is negligible if for −λ The proposed cipher presented in this paper is designed every λ > 0 there exists cλ > 0 such that ǫ(c) < c using a modification of the NTRU public key cryptosystem for all c>cλ. A probabilistic polynomial time algorithm n [8] over the ring, R = Zq[x]/(x 1), where n is a is said to be efficient if its running time is polynomial prime and q is a power of 2. The− NTRU public key in its input length. We represent x a random variable cryptosystem was first appeared in [8] due to Hoffstein sampled from the probability distribution D as x D. et al. in 1998 and it is based on truncated polynomials The effectiveness of an algorithm to distinguish between← two probability distributions D0 and D1 is measured by define the following experiment between a challenger and its distinguishing advantage, defined by P rx←D0 [A(x) = : | A b 1] P rx←D1 [A(x) = 1] . We say that a decision problem Experiment: IND-CPA ( ) − | SE A is hard if there does not exist an efficient algorithm for 1: The challenger runs k $ eyGen(1λ). it that has a non-negligible advantage in . The statistical ←−K λ 2: outputs a pair of plaintexts (µ ,µ ) of the same distance between two distributions on 0 1 (D0; D1) D0,D1 lengthA and sends (µ ,µ ) to the challenger. some countable△ domain is defined as 0 1 X (D0; D1) = ∗ $ △ 3: The challenger computes c nc(µb, k) and then D0(x) D1(x) . | − | sends c∗ to the adversary. ←−E ′ 4: continues its computation and outputs : b . B. Secret Key Encryption A ′ 5: Output 1 if b = b , and 0 otherwise. The goal of the secret key encryption is to furnish Definition 3. A secret key encryption = confidentiality of communications of two or more parties. ( eyGen, nc, ec) is indistinguishable underSE chosen In the secret key encryption, a common secret key is shared plaintextK attack,E D if it holds for all probabilistic polynomial among the communication parties, before decryption of the time adversary that ciphertext, to furnish confidentiality of the plaintext. The A IND−CPA IND−CPA 1 following definitions are acquired from [12,13]. For further AdvSE ( )= P r[ExpSE ( ) = 1] 2 details, the reader is referred to [12,13]. negl(λ). A | A − |≤ Definition 1. A secret key encryption = ( eyGen, nc, ec) consists of the followingSE three algorithms:K E D III. TRUNCATED POLYNOMIAL RINGS (i) Key Generation: Key Generation ( eyGen) is a N Z K Let q be a prime. We write q for the integer modulo randomized algorithm that outputs a random key. When the ∈ q q q and represents this set by integers in the range ( 2 , 2 ). algorithm is run, a different key is generated every time. −n The truncated polynomial ring Rn,q = Zq[x]/(x + 1) Note that in this case, the input for the algorithm is a null. consists of all polynomials with coefficients in Zq and The randomized output secret key is represented with a degree less than n. An element f Rq is represented as a dollar symbol $: polynomial, ∈ 1: Input: null n−1 $ i . 2: k KeyGen(1λ) f = fix = [f0,f1, ....., fn−1] ←− i=0 (ii) Encryption : Encryption ( nc) is a randomized TwoP polynomials f,g R are multiplied by the ordi- E q algorithm that takes a plaintext µ and the secret key k as nary convolution, ∈ input, and outputs a ciphertext c. (f g) = (f .g ), k =0, 1, ..., n 1, which ∗ k i j − 1: Input: µ µ, k k, where Dµ is the plaintext i+j≡kP(mod n) ∈ D ∈ D is commutative and associative. The convolution product is space, k is the secret key space and secret key k is generatedD by the eyGen(1λ) algorithm. represented by * to distinguish it from the multiplication in $ K Zq. We define a center l2 norm of an element f Rq by 2: c nc(µ, k), otherwise Φ if µ / µ) c c, N−1 − N−1 ∈ ←−E ∈ D ∀ ∈ D 1/2 1 where c is the ciphertext space. f = ( f f¯) , where f¯ = f and the D k k2 i − N i (iii) Decryption : Decryption ( ec) is a deterministic iP=0 iP=0 D infinity norm is f ∞ =max0≤i≤n−1 f fi f . algorithm. k k n Lemma 1[14,15]. For any f,g Rn,q = Zq[x]/(x + 1), 1: Input: c c, k k, where c is the ciphertext ∈ ∈ D ∈ D D f f.g f √n. f f f . f g f and f f.g f n. f f f . f g f . space and k is the secret key, generated by the KeyGen(1λ) ≤ ∞ ≤ ∞ ∞ algorithm. 2: µ ec(c, k) c c. A. Cryptographic Assumptions Correctness← D of the∀ ∈ secret D key encryption works as follows: We say that a secret key encryption = In this Subsection, we define the NTRUCipher ciphertext ( eyGen, nc, ec) is correct, if it holds forSE every cracking problem for which the parameters are chosen K E D $ as recommended in the table 1. The search and decision plaintext µ that P r[Deck(Enck(µ)) = µ : k KeyGen(1λ)] < negl(λ). 6 ←− ciphertext cracking problems are defined as follows: 1) Search NTRUCIpher Ciphertext Cracking Problem: Given c = r k−1 + µ(mod q) R , with r $ C. Security Notations ∗ ∈ n,q ← P (a ,a ,a ), k $ P (a ,a ,a ) , compute (r,k,µ). The aim of an adversary is to capture the secret key n 1 2 3 ← n 1 2 3 of the secret key encryptionA and then perceive the plain- 2) Decision NTRUCIpher Ciphertext Cracking Problem: −1 text corresponding to the ciphertext.