Round5: a KEX Based on Learning with Rounding Over the Rings

Round5: a KEX Based on Learning with Rounding Over the Rings

Round5: a KEX based on learning with rounding over the rings Zhenfei Zhang [email protected] September 19, 2018 Round5 September 19, 2018 1 / 49 Areas I have been working on Theoretical results Signature schemes: Falcon (NTRUSign+GPV), pqNTRUSign Security proofs: Computational R-LWR problem Fully homomorphic encryptions Raptor: lattice based linkable ring signature (Blockchains!) Practical instantiations NTRU, Round5 Cryptanalysis and parameter derivation for lattices Efficient implementations: AVX-2 Constant time implementations Standardization: NIST, IETF, ETSI, ISO, CACR PQC process Deployment: enabling PQC for TLS, Tor, libgcrypt Under the radar: lattice based DAA, NIZK Round5 September 19, 2018 2 / 49 This talk Theoretical results Signature schemes: Falcon (NTRUSign+GPV), pqNTRUSign Security proofs: Computational R-LWR problem Fully homomorphic encryptions Raptor: lattice based linkable ring signature (Blockchains!) Practical instantiations NTRU, Round5 Cryptanalysis and parameter derivation for lattices Efficient implementations: AVX-2 Constant time implementations Standardization: NIST, IETF, ETSI, ISO, CACR PQC process Deployment: enabling PQC for TLS, Tor, libgcrypt Under the radar: lattice based DAA, NIZK Round5 September 19, 2018 3 / 49 Diffie-Hellman Alice:(a; A = g a) BoB(b; B = g b) A B g ab ab ∗ A; B and g are group elements over Zq. Round5 September 19, 2018 4 / 49 RLWE-KEX Alice:(a; A = Ga + ea) BoB(b; B = Gb + eb) A B aGb + aeb ≈ bGa + bea . Every element is a ring element over R .= Zq[x]=f (x). Round5 September 19, 2018 5 / 49 RLWE-KEX Alice:(a; X = Ga + ea) BoB(b; B = Gb + eb) A B Reconciliation r Extract(aGb + aeb; r) = Extract(bGa + bea; r) . Every element is a ring element over R .= Zq[x]=f (x). Round5 September 19, 2018 6 / 49 NTRU-KEM Alice:(a = 2t + 1; A = 2g=a) BoB:(b; m) A B = 2bA + m B m = Ba = 2bg + ma = m mod 2 m . N Every element is a ring element over R .= Zq[x]=(x − 1). Round5 September 19, 2018 7 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N N Ring Zq[x]=(x − 1) Zq[x]=(x + 1) Provable security No Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large Major concerns on NTRU No provable security Slow key generation c.f. New Hope Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX Major concerns on NTRU No provable security Slow key generation c.f. New Hope Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N N Ring Zq[x]=(x − 1) Zq[x]=(x + 1) Provable security No Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes(?) Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes(?) Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor No No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Hardness of dec R-LWR is an open problem Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor No No KeyGen Fast Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Hardness of dec R-LWR is an open problem (more on this later) Round5 September 19, 2018 8 / 49 The new NTRU, a.k.a. R-LWR-KEX Alice:(a; A = Round(Ga)) BoB(b; B = Round(Gb)) A B Reconciliation r Extract(Round(aB); r) = Extract(Round(bA); r) . a; b are ring elements over R .= Zq[x]=f (x); A; B are rounded over Zp[x]. Round5 September 19, 2018 9 / 49 R-LWR-KEX Improvements 743 Prime cyclotomic ring, i.e., φ743(x) = (x − 1)=(x − 1) Rounding instead of errors \Disadvantages" Parameters not compatible with number theoretic transform (NTT) Noise dependency Round5 September 19, 2018 10 / 49 Improvements I - PC ring Prime Cyclotomic ring PC ring as secure as power-of-2 cyclotomics; 1024 i.e., φ2048(x) = x + 1; Degree ≈ 700 offers enough security against BKZ attacks with quantum sieving; NewHope - has to be 512, 1024, etc.; Kyber - a multiple of 256; PC - any prime > 700; Also used in LIMA, NTRU-KEM, etc. Round5 September 19, 2018 11 / 49 Round5 September 19, 2018 12 / 49 Improvements II - Rounding Rounding Less randomness sampling - ea and eb; Ciphertext reduced to n log p, c.f. n log q; Small enough to be in an MTU for TLS; Introduces new assumptions. Round5 September 19, 2018 13 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Round5 September 19, 2018 14 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Karatsuba and Toom-Cook Divide and Conquer; Parameter dependent optimizations; Improving NTRU-743 reference implementation by 2.3x; Constant time; strong side channel resistance; Slightly slower than NTT for similar N. Round5 September 19, 2018 14 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Index based Super friendly with a trinary polynomial; Even faster than NTT; Constant time iff Ham(a) and Ham(b) are constant; Memory leakage. Round5 September 19, 2018 14 / 49 \Disadvantages" II - Noise management Rational: Use ECC to control errors Consider c(x) = a(x)b(x) mod xN−1 + xN−2 + ··· + 1 0 N 0 Let c (x) = a(x)b(x) mod (x − 1), then c (x) = c(x) mod φN (x) 0 0 ) ci = ci − cN Noise, i.e., kxey k1 is \doubled"; 0 Every coefficient is \lifted" by cN - creates dependency; ECC doesn't work on dependent errors. Round5 September 19, 2018 15 / 49 \Disadvantages" II - Noise management Rational: Use ECC to control errors Consider c(x) = a(x)b(x) mod xN−1 + xN−2 + ··· + 1 0 N 0 Let c (x) = a(x)b(x) mod (x − 1), then c (x) = c(x) mod φN (x) 0 0 ) ci = ci − cN Noise, i.e., kxey k1 is \doubled"; 0 Every coefficient is \lifted" by cN - creates dependency; ECC doesn't work on dependent errors. Solution - ring switching N multiply over φN (x), lift the final results to x − 1 ring; c0(x) = c(x)(x − 1) Only use the coefficients of 1; x2; x4; x6;::: ∼ N Security? Z[x]/φN (x) = Z[x]=(x − 1) \ fPoly with root 1g Round5 September 19, 2018 15 / 49 Round2 The team Philips: Hayo Baan, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Riemann, Ludo Tolhuizen, Jose Luis Torre Arce OnBoard Security: Zhenfei Zhang Round5 September 19, 2018 16 / 49 Round5 = Round2 + HILA5's ECC The team Philips: Hayo Baan, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Riemann, Ludo Tolhuizen, Jose Luis Torre Arce Cisco: Scott Fluhrer Rambus: Mike Hamburg TU/e: Thijs Laarhoven PQShield: Markku-Juhani Olavi Saarinen OnBoard Security: Zhenfei Zhang Round5 September 19, 2018 17 / 49 Performance Round5 September 19, 2018 18 / 49 Performance Round5 September 19, 2018 19 / 49 Performance Round5 September 19, 2018 20 / 49 Deployment: TLS Round5 September 19, 2018 21 / 49 Deployment: Hybrid solutions Round5 September 19, 2018 22 / 49 Round5 September 19, 2018 23 / 49 Another look at the security Round5 ) Dec R-LWR over PC ) Search R-LWE over PC ) Search R-LWE over any ring ) BDD over Ideal Lattices Round5 September 19, 2018 24 / 49 Another look at the security Round5)Dec R-LWR over PC )Search R-LWE over PC )Search R-LWE over any ring )BDD over Ideal Lattices Round5 September 19, 2018 25 / 49 What about the hardness of Dec R-LWR? Dec R-LWE as hard as search R-LWE Given (a; b = as + e) 2 R2; Increase the first coefficient of b gradually and call Dec R-LWE oracle; Oracle will keep returning true till overflow - this tells us e0; Repeat for all coefficients to learn e; Extract s from a noisy free sample b0 = as. Round5 September 19, 2018 26 / 49 What about the hardness of Dec R-LWR? Dec R-LWE as hard as search R-LWE Given (a; b = as + e) 2 R2; Increase the first coefficient of b gradually and call Dec R-LWE oracle; Oracle will keep returning true till overflow - this tells us e0; Repeat for all coefficients to learn e; Extract s from a noisy free sample b0 = as. Dec R-LWR? We can't modify e - it is deterministic. Round5 September 19, 2018 26 / 49 Our approach Intuition Search Problem ≥ Computational Problem ≥ Decisional Problem Computational Diffie-Hellman: given fg; g x ; g y g, find g xy ; Similarly, given fa; Round(as1); Round(as2)g, find Round(as1s2); This is the underlying problem for R-LWR-KEX Dec R-LWR problem isn't essential.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    69 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us