ntru parameters: past, present, and future · ntru parameters: past, present, and future john m....
TRANSCRIPT
NTRU Parameters: Past, Present, and Future
John M. Schanck
Security Innovation&
Institute for Quantum Computing,University of Waterloo
September 21, 2016
Description of NTRUEncrypt
Past and present parameters
Attack HistoryAlgebraic attacksActive adversaries
Outlook: Should we be more conservative?
I Setup: Ring R (rank n as Z-module). Coprime ideals qR, pR.
I Private key: (f , g) “small” in R2 with f invertible in R/qR.
I Public key: canonical basis for (R/qR) · (f , g)
(1,h) := 1/f · (f , g) = (1, g/f).
I Encryption to h:I (r,m) 7→ [p · r · h + m]qI think: second component of p · r · (1,h) + (0,m)I r and m required to be “small”
I DecryptionI p · r · h + m 7→ (r,m) via
[f · (p · r · h + m)]q?= p · r · g + f ·m (over R)
p · r · g + f ·m ≡ f ·m (mod p)
I Setup: Ring R (rank n as Z-module). Coprime ideals qR, pR.
I Private key: (f , g) “small” in R2 with f invertible in R/qR.
I Public key: canonical basis for (R/qR) · (f , g)
(1,h) := 1/f · (f , g) = (1, g/f).
I Encryption to h:I (r,m) 7→ [p · r · h + m]qI think: second component of p · r · (1,h) + (0,m)I r and m required to be “small”
I DecryptionI p · r · h + m 7→ (r,m) via
[f · (p · r · h + m)]q?= p · r · g + f ·m (over R)
p · r · g + f ·m ≡ f ·m (mod p)
I Setup: Ring R (rank n as Z-module). Coprime ideals qR, pR.
I Private key: (f , g) “small” in R2 with f invertible in R/qR.
I Public key: canonical basis for (R/qR) · (f , g)
(1,h) := 1/f · (f , g) = (1, g/f).
I Encryption to h:I (r,m) 7→ [p · r · h + m]qI think: second component of p · r · (1,h) + (0,m)I r and m required to be “small”
I DecryptionI p · r · h + m 7→ (r,m) via
[f · (p · r · h + m)]q?= p · r · g + f ·m (over R)
p · r · g + f ·m ≡ f ·m (mod p)
What I’ve left out:
1. Choice of R, qR, pR.I Algebraic attacks.
2. Definition of “small”.I Lattice and combinatorial attacks.
3. The conditions for equality in
[f · (p · r · h + m)]q?= p · r · g + f ·m.
I “Decryption failures.”
4. How to recover (r,m) from f ·m and the ciphertext.I Chosen ciphertext attacks.
What I’ve left out:
1. Choice of R, qR, pR.I Algebraic attacks.
2. Definition of “small”.I Lattice and combinatorial attacks.
3. The conditions for equality in
[f · (p · r · h + m)]q?= p · r · g + f ·m.
I “Decryption failures.”
4. How to recover (r,m) from f ·m and the ciphertext.I Chosen ciphertext attacks.
What I’ve left out:
1. Choice of R, qR, pR.I Algebraic attacks.
2. Definition of “small”.I Lattice and combinatorial attacks.
3. The conditions for equality in
[f · (p · r · h + m)]q?= p · r · g + f ·m.
I “Decryption failures.”
4. How to recover (r,m) from f ·m and the ciphertext.I Chosen ciphertext attacks.
What I’ve left out:
1. Choice of R, qR, pR.I Algebraic attacks.
2. Definition of “small”.I Lattice and combinatorial attacks.
3. The conditions for equality in
[f · (p · r · h + m)]q?= p · r · g + f ·m.
I “Decryption failures.”
4. How to recover (r,m) from f ·m and the ciphertext.I Chosen ciphertext attacks.
What I’ve left out:
1. Choice of R, qR, pR.I Algebraic attacks.
2. Definition of “small”.I Lattice and combinatorial attacks.
3. The conditions for equality in
[f · (p · r · h + m)]q?= p · r · g + f ·m.
I “Decryption failures.”
4. How to recover (r,m) from f ·m and the ciphertext.I Chosen ciphertext attacks.
Description of NTRUEncrypt
Past and present parameters
Attack HistoryAlgebraic attacksActive adversaries
Outlook: Should we be more conservative?
1998→ 2016
> 128-bit security in 1998:
1. R = Z[x]/(x503 − 1), p = 3, q = 256
2. “Small” means “sparse trinary polynomial.”
3. Decryption fails with probability < 2−14.
4. Select r and m independently.Don’t bother recovering r during decryption.
> 128-bit security in 2016:
1. R = Z[x]/(x587 − 1), p = 3, q = 2048
2. “Small” means “not-quite-as-sparse trinary polynomial.”
3. Decryption fails with probability < 2−128.
4. Choose r and m using standardized mechanisms.
1998→ 2016
> 128-bit security in 1998:
1. R = Z[x]/(x503 − 1), p = 3, q = 256
2. “Small” means “sparse trinary polynomial.”
3. Decryption fails with probability < 2−14.
4. Select r and m independently.Don’t bother recovering r during decryption.
> 128-bit security in 2016:
1. R = Z[x]/(x587 − 1), p = 3, q = 2048
2. “Small” means “not-quite-as-sparse trinary polynomial.”
3. Decryption fails with probability < 2−128.
4. Choose r and m using standardized mechanisms.
Choice of R
1996 NTRU preprint circulated at CRYPTO rump sessionI Primarily discusses
R = Z[x]/(xn − 1)
I Suggests both n and (n− 1)/2 be prime.I Briefly mentions
F`[t][x]/(xn − 1) and Z[x]/(xn − x− 1)
2002 Gaborit–Ohler-Sole, “CTRU”, instantiation of a function fieldvariant, F2[t][x]/(xn − 1).
2016 Bernstein–Chuengsatiansup–Lange–van Vredendaal,“NTRU Prime” instantiation in Z[x]/(x739 − x− 1)
Concerns about Z[x]/(xn − 1)
2001 May–Silverman, “Dimension Reduction Methods forConvolution Modular Lattices.”
I Cyclic structure affects probability that a Z-modulehomomorphism Z2n → Zm,m < 2n, preserves length of ashortest vector.
Concerns about Z[x]/(xn − 1)
2001 Gentry, “Key recovery and message attacks onNTRU-Composite”
I Ring homomorphisms
Z[x]/(xn − 1)→ Z[x]/(xd − 1),
roughly preserve shortest vector length when d|n and d issufficiently large.
I Suggests composite n not be used.
Concerns about Z[x]/(xn − 1)
2002 Gentry–Szydlo, “Cryptanalysis of the Revised NTRUSignature Scheme”
I Search for (f · f , g · g) in sublattice of “palindromes”.I Attributed to Jonsson, Nguyen, and Stern as well.I Structure induced by relative norm from Q(ζn) to Q(ζn + ζn).I “this attack fails for typical NTRU [...] parameters.”
2016 Albrecht–Bai–Ducas, “[...] overstretched NTRU assumptions”
I Above attack affects atypical NTRU parameters, e.g. FHEschemes and MLM constructions. Generalized to subfieldsother than Q(ζn + ζn).
2016 Cheon–Jeong–LeeI Similar attack using relative trace to subfields of Q(ζ2k).
Choice of R
Takeaway: Need to analyze maps from R2 to smaller objects,especially if they might preserve the length of (f , g).
In the case of R = Z[x]/(xn − 1) we have to consider maps to (orinduced by the presence of):
I Z-submodules,
I subrings (of R, R/qR, or R/pR),
I subfields of Q(ζn).
For typical NTRU parameters, none of these algebraic attacks areas effective as combinatorial attacks.
Choice of q
R/qR might have more interesting structure than R due to
1. Factorization of xn − 1 (mod q)
2. Factorization of q
Choice of q
2001 Gentry, ”Key recovery and message attacks onNTRU-Composite.”
Dismissed homomorphisms Z[x]/(q, xn − 1)→ Z[x]/(q, s(x))coming from factorization of xn − 1 (mod q).
“Useful alternative homomorphisms [...] appear to be rare”
Question: What if there are 2n such homomorphisms?
Choice of q
2005 Silverman–Smart–Vercauteren, “An Algebraic Approach toNTRU (q = 2m) via Witt Vectors [...]”
I Considers systems of equations over F2 coming fromR/2mR→ R/4R
I “method is of asymptotic interest but is completely impracticalat current or likely future parameter sets”
2009 Bourgeois–Faugere, “[...] Witt Vectors and Grobner bases.”I Better theoretical analysis of above.I Also considers maps to R/8R and R/16RI “the algebraic attack using Witt vectors is not effective [if
system is solved via] Grobner basis algorithms.”I Cost 2474 for binary f , g and N = 503.
Choice of q
2005 Silverman–Smart–Vercauteren, “An Algebraic Approach toNTRU (q = 2m) via Witt Vectors [...]”
I Considers systems of equations over F2 coming fromR/2mR→ R/4R
I “method is of asymptotic interest but is completely impracticalat current or likely future parameter sets”
2009 Bourgeois–Faugere, “[...] Witt Vectors and Grobner bases.”I Better theoretical analysis of above.I Also considers maps to R/8R and R/16RI “the algebraic attack using Witt vectors is not effective [if
system is solved via] Grobner basis algorithms.”I Cost 2474 for binary f , g and N = 503.
Description of NTRUEncrypt
Past and present parameters
Attack HistoryAlgebraic attacksActive adversaries
Outlook: Should we be more conservative?
Active adversaries
1998 Silverman, NTRU Tech Report #007.I Suggests OAEP-like padding.
1999 Hoffstein–Silverman, NTRU Tech Report #015I Notes that unpadded NTRU is vulnerable to the “reaction”
attacks of Hall–Goldberg–Schneier.I Decryption failures start to look dangerous.
Active adversaries
2000 Jaulmes–Joux, “Chosen-ciphertext attack against NTRU.”I Similar to reaction attack, weaker attack model.I Breaks Silverman’s OAEP-like padding.I Suggest NTRU develop a padding based on Fujisaki–Okamoto.
2000 Hoffstein–Silverman, NTRU Tech Report #016.I Two padding methods based on Fujisaki–Okamoto.
2001 Hoffstein–Silverman, “Optimizations for NTRU”I Another method based on Fujisaki–Okamoto.
Active adversaries
2002 Nguyen–Pointcheval, “Analysis and Improvements [...].”I Identify potential problems with all three F–O paddings.I Propose three more provably secure padding mechanisms.
Active adversaries
2003 Proos. “Imperfect Decryption and an Attack [on NTRU]”I Breaks all six padding mechanisms.I Security models inadequate; need revision to account for
decryption failure.
Active adversaries
2003 Howgrave-Graham–Silverman–Singer–Whyte, “NAEP”I Provably secure in model that accounts for decryption failure.I Still need decryption failure probability to be negligible.I NAEP recommended today. No known issues.I More eyeballs wouldn’t hurt. Side-channel analysis,
implementation issues, etc.
Active adversaries
I This stuff is subtle.
I Decryption failures complicate an already complicated topic.
I Don’t trust the existence of a proof. Think hard aboutassumptions.
Description of NTRUEncrypt
Past and present parameters
Attack HistoryAlgebraic attacksActive adversaries
Outlook: Should we be more conservative?
More conservative parameters
NTRU Prime recommendations:
I Avoid rings associated to cyclotomics.
I Avoid rings associated to fields with automorphisms.
I Choose R and q such that R/qR is a finite field.
I Completely eliminate decryption failures.
More conservative parameters
NTRU Prime recommendations:
I Avoid rings associated to cyclotomics.
I Avoid rings associated to fields with automorphisms.
I Choose R and q such that R/qR is a finite field.
I Completely eliminate decryption failures.
Recommendation
The history of attacks on NTRUEncrypt is...
I long on interesting ideas for algebraic attacks, but short oneffective algebraic attacks against proposed parameters.
I full of chosen-ciphertext attacks, attacks that exploitdecryption failure, side-channel attacks, etc.
Criteria for selecting future parameter sets should prioritize thelatter.
Thanks!