Choosing Parameters for NTRUEncrypt Jeff Hoffstein, Jill Pipher, John Schanck, Joseph H. Silverman, William Whyte, Zhenfei Zhang OnBoard Security / Brown University Security Innovation Embedded Business Unit is becoming Onboard Security! §Two sister companies being formed – OnBoard Security: Cryptography, Hardware Roots of Trust and Automotive Security – Security Innovation: Application Security Services and Education §Reasons – Increase strategic focus on core competencies – Unlock latent value – Attract pure-play investors Goal of presentation § Present new parameters as in published paper § Discuss parameter choices at a higher level to explore difference between published approaches – LWE – NTRU – NTRU Prime § Make a mysterious announcement A Lattice! (F,G) (f,g) Symmetric encryption with lattices: The Close Vector Problem Example over integers Lattice Basis B ((f,g), (F,G)) = ((7,1), (2,18)) • Pick m = (-2, 2). • (maximum norm of m < norm of shortest basis vector) • Pick random lattice point 5* (7,1) + 1*(2, 18) = (37, 23) • Add m to get e = (35, 25). 4.6 (f,g) 5 (f,g) + To decrypt: (F,G) 1 (F,G) • e = 4.6*(f,g) + 1.3*(F, G) 1.3 (F,G) … we get this by dividing: B-1 = ((G,-g), (-F, f)).[det(B)] -1. (f,g) • Round to closest lattice point = 5* (7,1) + 1*(2, 18) = (37, 23) • Subtract from e • Recover m = (-2, 2) Lattice-based crypto motivation § If I take E = a*H + b where H is known and a, b are random and “big enough”, then 1. For some size of a and b It is hard to recover a, b (the assumption used in NTRU) 2. For some larger size of a and b, E is indistinguishable from random (a stronger assumption) § If I take E = a*H + b where H is known and a, b are “small enough”, it may be possible to exploit the fact that E is derived from H to exchange a secret LWE key agreement § Publish: H § H = 723 § A: generate small (aA, bA) § (aA, bA) = (4, 3) – EA = aAH+bA, send EA – EA = 2895 § B: generate small (aB, bB) § (aB, bB) = (-2, 5) – EB = aBH+bB, send EB – EA = -1441 § A: calculate SA = aA * EB § SA = -5764 – = aA * aB* H + aA * bB § B: calculate SB = aB * EA § SB = -5790 – = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement § Publish: H § H = 723 § A: generate small (aA, bA) § (aA, bA) = (4, 3) – EA = aAH+bA, send EA – EA = 2895 § B: generate small (aB, bB) § (aB, bB) = (-2, 5) – EB = aBH+bB, send EB – EA = -1441 § A: calculate SA = aA * EB § SA = -5764 – = aA * aB* H + aA * bB § B: calculate SB = aB * EA § SB = -5790 – = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement § Publish: H § H = 723, q = 1024 § A: generate small (aA, bA) § (aA, bA) = (4, 3) – EA = aAH+bA, send EA – EA = 847 § B: generate small (aB, bB) § (aB, bB) = (-2, 5) – EB = aBH+bB, send EB – EA = 607 § A: calculate SA = aA * EB § SA = 380 – = aA * aB* H + aA * bB § B: calculate SB = aB * EA § SB = 354 – = aA * aB* H + aA * bB § Top bits/digits are the same! If components are small enough and H is large enough LWE key agreement in a ring § Publish: H, R § R = any ring, e.g. & § A: generate small (aA, bA) ℤ" � /[� − 1] or & ℤ" � /[� + 1] – EA = aAH+bA, send EA – Choice of ring is § B: generate small (aB, bB) important, see later – EB = aBH+bB, send EB § H, aA, bA, aB, bB = polynomials in the ring § A: calculate SA = aA * EB – = aA * aB* H + aA * bB § For small enough a, b relative to q, top b § B: calculate SB = aB * EA – aA * aB* H + aA * bB § Top bits of each coefficient of SA, SB are the same If components are small enough and q is large enough LWE Encryption § Public parameter: A in ring mod qPrivate key: s, e0, small § Public key: A, B = s*A + e0 § Encrypt n-bit message m: Publish – U = r*A + e1 – V = r*B + e2 + (m * q/2) § (Note, encrypter doesn’t know s so doesn’t know relationship between A and B) § Decrypt: Calculate V – s*U = – [r*B + e2 + (m * q/2)] - s*r*A - s*e1 = – s*r*A + r*e0 + e2 + (m * q/2) - s*r*A - s*e1 = – r*e0 + e2 - s*e1 + (m * q/2) – [small] [top bits of the coefficients] If components are small enough and q is large enough NTRU Encryption – trapdoor in H § Review: small * random + small is hard with high enough N § Small can be removed given a “clue” in R-LWE encryption § Can we embed a trapdoor in H itself? § Yes, with an additional assumption: – NTRU OBSERVATION (Properties of distribution): Given a collection of {f} small in R, then {f-1} looks uniformly randomly distributed – NTRU ASSUMPTION (Inversion version): Given h = g * f-1 in R, it is hard to recover g and f – NTRU ASSUMPTION (Decisional version): Given h in R, it is hard to tell whether it was randomly generated or generated as g * f-1 § Security of NTRU Encryption rests on the Inversion version of this problem Raw NTRUEncrypt Operations § Key Generation N – Generate f, g, “small” polynomials in Zq[X]/(X -1). -1 -1 – Public key h = p*f *g mod q; private key = (f, fp = f mod p). § Encrypt (Raw operation) – Encode message as “small” polynomial m. – Generate “small” random polynomial r – Ciphertext e = r*h + m mod q. § Decrypt (Raw operation) – Set a = f*e mod q. § “mod q” = in range [A, A+q-1]. – Set m = fp * a mod p. Why Decryption Works § a = f * e (mod q) = f * (r*h + m) (mod q) = f * (r*p*g*f-1 + m) (mod q) = p*r*g + f*m (mod q) since f*Fq = 1 (mod q) § All the components are small, so this equality holds over the integers, not just mod q – If components are small enough and q is large enough § So – a mod p = f*m mod p – a * f-1 mod = f-1*f*m mod p = m mod p = m. NTRUEncrypt v Ring-LWE 15 § NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups – Some variants are not CCA-2; public expire 2021 keys cannot be reused – CCA-2; public keys can be long-term N and reused – Ring Z[X]/X +1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRUEncrypt v Ring-LWE: fundamental v optional differences 16 § NTRUEncrypt: § Ring-LWE key exchange – Slower keygen (requires inversion) – Faster keygen, no inversion – Thinner noise: – h can be expanded from a seed, saving § Faster operations space § Smaller ciphertexts – Thicker noise: – Smaller q with same risk of decryption failure § Better provability – Smaller q allows smaller N with § Larger ciphertexts equivalent lattice security – Patent concerns over reconciliation – Patented mechanism § Core patents expire 2017, speedups expire 2021 – Some variants are not CCA-2; public keys cannot be reused – CCA-2; public keys can be long-term and reused – Ring Z[X]/XN+1 is factorizable mod q – Ring Z[X]/XN-1 is factorizable mod q NTRU history § NTRUEncrypt proposed 1996 – Hoffstein, Pipher, Silverman (Brown University) – Should perhaps be called HPS… § Not originally realized to be lattice based! Developed at same time as Ajtai, etc § Published 1998 – Best attacks: lattice reduction or meet-in-the-middle / brute force § NTRUSign proposed 2001 – Not zero-knowledge § 2006-2007: “Hybrid attack” (Howgrave-Graham) combines lattice reduction and meet-in- the-middle – “80-bit secure” parameter sets give 64 bits of security against this attack – Revised parameter sets proposed § 2008: IEEE standard 1363.1 – NTRUEncrypt § 2010: X9 standard X9.98 – NTRUEncrypt CPA / CCA / Key reusability § Raw NTRU is not CPA-secure – Leaks m(1) for known r(1) § Use NAEP to provide CPA and CCA-2 security – Similar to OAEP – Concatenate message with random “salt” – Hash to generate r – Hash (r *h) to generate mask – m’ = message + mask mod p (XOR or similar) – e = r*h + m’ – On decryption, recover m and salt and repeat encryption; discard if result is not equal to received ciphertext § Provides CCA2 security if decryption failure probability is negligible Decryption failures § Say a = p*r*g + f*m Distributions of a 2176 2048 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 then at least one coefficient of a is 1536 1408 1280 reduced mod q on decryption 1152 1024 896 § This leads to the resulting value for 768 640 -1 512 m being off by some rotation of (f 384 256 mod p) * q mod p 128 0 -3 7 17 27 37 47 57 67 Decryption failures Distributions of a 2176 2048 1920 1792 1664 1536 1408 1280 § Say a = p*r*g + f*m 1152 1024 896 768 640 § If maxCoeff(a) - minCoeff(a) ³ q 512 384 256 then at least one coefficient of a is 128 0 reduced mod q on decryption -3 7 17 27 37 47 57 67 Distributions of a 2176 § This leads to the resulting value for 2048 1920 -1 1792 m being off by some rotation of (f 1664 1536 1408 mod p) * q mod p 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 2176 2048 Distributions of a 1920 1792 1664 1536 Decryption failures 1408 1280 1152 1024 896 768 640 512 384 § Say a = p*r*g + f*m 256 Distributions of a 128 21760 2048-3 7 17 27 37 47 57 67 1920 § If maxCoeff(a) - minCoeff(a) ³ q 1792 1664 1536 then at least one coefficient of a is 1408 1280 1152 reduced mod q on decryption 1024 896 768 640 512 § This leads to the resulting value for 384 256 -1 128 Distributions of a m being off by some rotation of (f 0 2176-3 7 17 27 37 47 57 67 mod p) * q mod p 2048 1920 1792 1664 1536 1408 1280 1152 1024 896 768 640 512 384 256 128 0 -3 7 17 27 37 47 57 67 Philosophies of parameter choice § Ring parameters: N, q, p § Alternative ring moduli: – p, q must generate coprime ideals of – Ring Z [X]/(XN+1) with N a power of 2 N q the ring Zq[X]/(X -1).