Round5: a KEX based on learning with rounding over the rings Zhenfei Zhang [email protected] September 19, 2018 Round5 September 19, 2018 1 / 49 Areas I have been working on Theoretical results Signature schemes: Falcon (NTRUSign+GPV), pqNTRUSign Security proofs: Computational R-LWR problem Fully homomorphic encryptions Raptor: lattice based linkable ring signature (Blockchains!) Practical instantiations NTRU, Round5 Cryptanalysis and parameter derivation for lattices Efficient implementations: AVX-2 Constant time implementations Standardization: NIST, IETF, ETSI, ISO, CACR PQC process Deployment: enabling PQC for TLS, Tor, libgcrypt Under the radar: lattice based DAA, NIZK Round5 September 19, 2018 2 / 49 This talk Theoretical results Signature schemes: Falcon (NTRUSign+GPV), pqNTRUSign Security proofs: Computational R-LWR problem Fully homomorphic encryptions Raptor: lattice based linkable ring signature (Blockchains!) Practical instantiations NTRU, Round5 Cryptanalysis and parameter derivation for lattices Efficient implementations: AVX-2 Constant time implementations Standardization: NIST, IETF, ETSI, ISO, CACR PQC process Deployment: enabling PQC for TLS, Tor, libgcrypt Under the radar: lattice based DAA, NIZK Round5 September 19, 2018 3 / 49 Diffie-Hellman Alice:(a; A = g a) BoB(b; B = g b) A B g ab ab ∗ A; B and g are group elements over Zq. Round5 September 19, 2018 4 / 49 RLWE-KEX Alice:(a; A = Ga + ea) BoB(b; B = Gb + eb) A B aGb + aeb ≈ bGa + bea . Every element is a ring element over R .= Zq[x]=f (x). Round5 September 19, 2018 5 / 49 RLWE-KEX Alice:(a; X = Ga + ea) BoB(b; B = Gb + eb) A B Reconciliation r Extract(aGb + aeb; r) = Extract(bGa + bea; r) . Every element is a ring element over R .= Zq[x]=f (x). Round5 September 19, 2018 6 / 49 NTRU-KEM Alice:(a = 2t + 1; A = 2g=a) BoB:(b; m) A B = 2bA + m B m = Ba = 2bg + ma = m mod 2 m . N Every element is a ring element over R .= Zq[x]=(x − 1). Round5 September 19, 2018 7 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N N Ring Zq[x]=(x − 1) Zq[x]=(x + 1) Provable security No Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large Major concerns on NTRU No provable security Slow key generation c.f. New Hope Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX Major concerns on NTRU No provable security Slow key generation c.f. New Hope Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N N Ring Zq[x]=(x − 1) Zq[x]=(x + 1) Provable security No Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes(?) Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor Yes No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes(?) Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor No No KeyGen Slow Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Hardness of dec R-LWR is an open problem Round5 September 19, 2018 8 / 49 NTRU-KEM vs RLWE-KEX NTRU R-LWE N Ring Zq[x]=(φN (x)) Zq[x]=(x + 1) Provable security Yes Yes dim pdim Secrets Trinary: {−1; 0; 1g Gaussian: χ q pdim Errors Rounded, binary Gaussian: χ q Trapdoor No No KeyGen Fast Fast CT size Small Large RLWE is hard for any ring of integers [PRS17] Hardness of dec R-LWR is an open problem (more on this later) Round5 September 19, 2018 8 / 49 The new NTRU, a.k.a. R-LWR-KEX Alice:(a; A = Round(Ga)) BoB(b; B = Round(Gb)) A B Reconciliation r Extract(Round(aB); r) = Extract(Round(bA); r) . a; b are ring elements over R .= Zq[x]=f (x); A; B are rounded over Zp[x]. Round5 September 19, 2018 9 / 49 R-LWR-KEX Improvements 743 Prime cyclotomic ring, i.e., φ743(x) = (x − 1)=(x − 1) Rounding instead of errors \Disadvantages" Parameters not compatible with number theoretic transform (NTT) Noise dependency Round5 September 19, 2018 10 / 49 Improvements I - PC ring Prime Cyclotomic ring PC ring as secure as power-of-2 cyclotomics; 1024 i.e., φ2048(x) = x + 1; Degree ≈ 700 offers enough security against BKZ attacks with quantum sieving; NewHope - has to be 512, 1024, etc.; Kyber - a multiple of 256; PC - any prime > 700; Also used in LIMA, NTRU-KEM, etc. Round5 September 19, 2018 11 / 49 Round5 September 19, 2018 12 / 49 Improvements II - Rounding Rounding Less randomness sampling - ea and eb; Ciphertext reduced to n log p, c.f. n log q; Small enough to be in an MTU for TLS; Introduces new assumptions. Round5 September 19, 2018 13 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Round5 September 19, 2018 14 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Karatsuba and Toom-Cook Divide and Conquer; Parameter dependent optimizations; Improving NTRU-743 reference implementation by 2.3x; Constant time; strong side channel resistance; Slightly slower than NTT for similar N. Round5 September 19, 2018 14 / 49 \Disadvantages" I - Ring multiplications Rule of Thumb School book Karatsuba/Toom-Cook ' NTT > Index based Index based Super friendly with a trinary polynomial; Even faster than NTT; Constant time iff Ham(a) and Ham(b) are constant; Memory leakage. Round5 September 19, 2018 14 / 49 \Disadvantages" II - Noise management Rational: Use ECC to control errors Consider c(x) = a(x)b(x) mod xN−1 + xN−2 + ··· + 1 0 N 0 Let c (x) = a(x)b(x) mod (x − 1), then c (x) = c(x) mod φN (x) 0 0 ) ci = ci − cN Noise, i.e., kxey k1 is \doubled"; 0 Every coefficient is \lifted" by cN - creates dependency; ECC doesn't work on dependent errors. Round5 September 19, 2018 15 / 49 \Disadvantages" II - Noise management Rational: Use ECC to control errors Consider c(x) = a(x)b(x) mod xN−1 + xN−2 + ··· + 1 0 N 0 Let c (x) = a(x)b(x) mod (x − 1), then c (x) = c(x) mod φN (x) 0 0 ) ci = ci − cN Noise, i.e., kxey k1 is \doubled"; 0 Every coefficient is \lifted" by cN - creates dependency; ECC doesn't work on dependent errors. Solution - ring switching N multiply over φN (x), lift the final results to x − 1 ring; c0(x) = c(x)(x − 1) Only use the coefficients of 1; x2; x4; x6;::: ∼ N Security? Z[x]/φN (x) = Z[x]=(x − 1) \ fPoly with root 1g Round5 September 19, 2018 15 / 49 Round2 The team Philips: Hayo Baan, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Riemann, Ludo Tolhuizen, Jose Luis Torre Arce OnBoard Security: Zhenfei Zhang Round5 September 19, 2018 16 / 49 Round5 = Round2 + HILA5's ECC The team Philips: Hayo Baan, Sauvik Bhattacharya, Oscar Garcia-Morchon, Ronald Riemann, Ludo Tolhuizen, Jose Luis Torre Arce Cisco: Scott Fluhrer Rambus: Mike Hamburg TU/e: Thijs Laarhoven PQShield: Markku-Juhani Olavi Saarinen OnBoard Security: Zhenfei Zhang Round5 September 19, 2018 17 / 49 Performance Round5 September 19, 2018 18 / 49 Performance Round5 September 19, 2018 19 / 49 Performance Round5 September 19, 2018 20 / 49 Deployment: TLS Round5 September 19, 2018 21 / 49 Deployment: Hybrid solutions Round5 September 19, 2018 22 / 49 Round5 September 19, 2018 23 / 49 Another look at the security Round5 ) Dec R-LWR over PC ) Search R-LWE over PC ) Search R-LWE over any ring ) BDD over Ideal Lattices Round5 September 19, 2018 24 / 49 Another look at the security Round5)Dec R-LWR over PC )Search R-LWE over PC )Search R-LWE over any ring )BDD over Ideal Lattices Round5 September 19, 2018 25 / 49 What about the hardness of Dec R-LWR? Dec R-LWE as hard as search R-LWE Given (a; b = as + e) 2 R2; Increase the first coefficient of b gradually and call Dec R-LWE oracle; Oracle will keep returning true till overflow - this tells us e0; Repeat for all coefficients to learn e; Extract s from a noisy free sample b0 = as. Round5 September 19, 2018 26 / 49 What about the hardness of Dec R-LWR? Dec R-LWE as hard as search R-LWE Given (a; b = as + e) 2 R2; Increase the first coefficient of b gradually and call Dec R-LWE oracle; Oracle will keep returning true till overflow - this tells us e0; Repeat for all coefficients to learn e; Extract s from a noisy free sample b0 = as. Dec R-LWR? We can't modify e - it is deterministic. Round5 September 19, 2018 26 / 49 Our approach Intuition Search Problem ≥ Computational Problem ≥ Decisional Problem Computational Diffie-Hellman: given fg; g x ; g y g, find g xy ; Similarly, given fa; Round(as1); Round(as2)g, find Round(as1s2); This is the underlying problem for R-LWR-KEX Dec R-LWR problem isn't essential.
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages69 Page
-
File Size-