p1363.1 d5 overview
DESCRIPTION
P1363.1 D5 Overview. William Whyte NTRU Cryptosystems December 2005. Agenda. Document walkthrough Timetable. Document Structure. Overview References Definitions Types of Crytographic Technique Mathematical Conventions. Document Structure (2). The SV Family - PowerPoint PPT PresentationTRANSCRIPT
STRONG security that fits everywhere.
P1363.1 D5 Overview
William WhyteNTRU CryptosystemsDecember 2005
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Agenda
Document walkthrough
Timetable
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Document Structure
1. Overview
2. References
3. Definitions
4. Types of Crytographic Technique
5. Mathematical Conventions
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Document Structure (2)
6. The SV Family Algorithm specification conventions
7. Data types and conversions
8. Mathematical Foundation Ring operations; fast multiplication techniques; inversion
9. Supporting Algorithms
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Document Structure (3)
10. Encryption Scheme Components Primitives Encoding Methods Scheme Overview Scheme Operations
11. Signature Scheme Components Primitives Encoding Methods Scheme Overview Scheme Operations
12. Security Considerations
13. Bibliography
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Document Structure: Annexes
Editorial: Annexes listed in ToC by accident and will be removed.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Conversion Primitives
Integer to/from octet string, bit string
Ring element to/from octet string, bit string
Binary ring element to/from octet string, bit string
Octet string to/from bit string– BS2OSP in other standards pads on the left (designed for bit
strings < 1 byte or integers). X9.98 converts to “right-padded octet string”.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Review: NTRU parameters
N, dimension of polynomial ring– NTRU works on polynomials of degree N-1– Polynomial multiplication is convolution multiplication: terms of degree > N are
reduced mod N.– Increases roughly linearly with k for k-bit security
For 80-bit security, N = 251.
q, “big” modulus– All coefficients in polynomial are reduced mod q– For 80-bit security, q = 197.
Increases roughly linearly with k for k-bit security
p, “small” modulus (Used only in NTRUEncrypt)– Reduce mod p during decryption– p = 2 for all security levels.
Sizes:– Public key, ciphertext size = N log2 q– message size (bits) = N log2 ||p||
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Review: NTRUEncrypt Operations
Key Generation
– Generate f, g, “small” polynomials in Zq[X]/(XN-1).
– Public key h = p*f-1*g mod q; private key = (f, fp = f-1 mod p).
Encrypt (Raw operation)– Encode message as “small” polynomial m.
– Generate “small” random polynomial r
– Ciphertext e = r*h + m mod q.
Decrypt (Raw operation)– Set a = f*e mod q.
“mod q” = in range [A, A+q-1].
– Set m = fp * a mod p.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Review: Why Decryption Works
a = f * e (mod q)= f * (r*h + m) (mod q)= f * (r*p*g*Fq + m) (mod q)= p*r*g + f*m (mod q) since f*Fq = 1 (mod q)
All of the polynomials r, g, f, m are small, so coefficients ofp*r*g + f*m
will all lie within q of each other.
If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then
fp * a = p*r*g*fp (mod p) + fp*f*m (mod p) = m (mod p).
For speed, we take f = 1+pF; then f-1 mod p = 1.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
HashXOR
r*h + m’
e
Hash
r
Review: SVES-3 encryption
mb
m’
r*h
mLen 00… ID
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Parameter sets
N, q, p
Form of f, g
How to produce M: Length of b, means of encoding message length
How to produce r: ID, PRBG algorithm, means of converting output to polynomial (Blinding Value Generation Method)
How to produce m’: PRBG algorithm, minimum Hamming weight of m’
How to decrypt: lower bound on the mod q range, called A (always 0 in this standard)
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Subcategorization
Parameters – fixed inputs
Primitives – raw keygen, encrypt, decrypt– Included by analogy with 1363; since there is only one scheme in
the document, should the primitives just be combined into the schemes?
Encoding methods – BVGM
Supporting algorithms – Hash, PRNG, MGF– Are these two categories logically distinct?
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Different parameter sets
F, r are binary polynomials, or “product-form” (p1*p2 + p3), with p1, p2, p3 binary
– One set of each type at each security level
– Product-form polynomial multiplications are faster: if p is product-form, p*a can be calculated as p1*(p2*a) + p3*a.
Parameter sets give number of 1s in each component polynomial – dF and dr or df1, df2, df3, dr1, dr2, dr3
– Fixed, optimal number of 1s: more would make operations slower, fewer would be insecure.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Key Pair Validation
Key pair: check F (or f1, f2, f3) and g = fh/p have right form according to parameter set.
Public key plausibility test: check that a significant amount of reduction mod q is likely to occur in calculating r*h.
No full public key validation.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
NTRUSign
Lattice-based signature scheme
Pick two short polynomials (f, g) in ring R = Z[X]/(XN-1)
Find (F, G) s. t. f*G – g*F = q, q an integer (power of 2)
Then is an R-module / lattice with det q and a basis vectors of length N1/2, N: private key
And , h = g/f mod q, is an R-module / lattice with a basis of vectors of length N3/2: public key
Signing: message is point, solve CVP for this point using good basis.
Verification: check signature is in lattice (using bad basis) and close to message point.
GF
gf
q
hLNTRU 0
1
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Use full basis B = , inverse B-1 =
message (0, m)
– more efficient than (m1, m2), no security risk
Sign with a single public basis:(s, t) = B * Round (B-1 * (0, m))
Transmit s.
Verifying:– calculate t = s*h mod q.
– make sure ||s||, ||m-t|| are small ( < N)
hash
Signing & Verification
Gg
Ff
fg
FG
q
1
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Supporting Techniques
Message Representative Generation
1 – Hash message into [0, q-1]^N
2 – Form message representative as product of small polynomials
– Has efficiency advantages, but only in case with no perturbations
1363.1 parameter sets only use method 1.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Security Considerations!
Lattice
All other
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Check Lattice Strength
We characterize the lattice by two variables:– c = (2N) . (2)||f||/. = 2||f||(e / q)
Length of shortest vector [ (2)||f|| ]… Divided by expected length of shortest vector for lattice of the
same determinant [ = (N q/ e) ]… Scaled by (2N) .
– a = N/q.
Experimentally, breaking time is very sensitive to c, somewhat sensitive to a.
Experimentally, for fixed c, a, breaking time is exponential in N.
For all the parameter sets given in the previous slide, we havea >= 1.25, c >= 2.58.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Lattice Strength
The lower a and c, the faster reduction algorithms run.
Run experiments at a and c much lower than those obtained for our parameter sets.
– a = 0.535, c = 1.73;
– Breaking time goes as 10 .1095N - 12.6 MIPS-years.
N = 251 ==> 1.37*1013 MIPS-years, taking “zero-forcing” into account.
– 80-bit security: ~1012 MIPS-years
Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.
Paper available on X9 website
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
F, g, r have df, dg, dr 1s respectively
Brute force-like search on F, g, r can be speeded up by meet-in-the-middle techniques.
Using these techniques, number of binary convolution multiplications needed to break f is
– Each multiplication requires df.N additions … perhaps divided by 2-8 if we use wordsize cleverly In general, use number of multiplications as security measure
Attacker will go for easiest of (f, g), (r, m); pick df = dr.
Take g = N/2: larger = greater security
Binary F, g, r: Combinatorial Security
N
d
N
f
2/
2/
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Pick q, p
Our choice:– Pick p = 2, q to be the first prime greater than
p.min(dr, dg) + 1 + p.min(df, N/2)with large order mod N.
This gives zero chance of decryption failures Minimum q to do so consistent with choice of p, df.
– Best lattice security
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Other considerations
Keys (and random component b) must be generated with sufficient entropy
– Added section B.3.1 stating that RNG should be seeded with k+64 bits
R*h must result in a reasonable amount of reduction mod q– Otherwise an attacker can recover r by linear algebra
N must be prime; if it is divisible by l, can form lattice of dimension 2N/l.
E(1) = r(1)h(1) +m’(1), and r(1) and h(1) are known; therefore, the ciphertext leaks m’(1)
– Require m’ to be blinded.
q must have large order mod N: similar attack to above might otherwise leak value of m’(X) in larger fields. The chance of this happening is qorder(q mod N).
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Other considerations (2)
p and q must be relatively prime
Need to prevent adaptive chosen ciphertext attacks with appropriate scheme
– For k-bit security, length of random component b = k bits
– Consistent with standard security proofs.
If q is too small relative to f, r, g, m, decryption failures can occur– This will not happen for any of the given parameter sets
ID is included to ensure that sender and receiver are using same parameter set
The blinding value r is generated as a series of indices < N– Mechanisms in standard guarantee that these are uniformly distributed.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Security Levels: Encryption
Provided parameter sets for each security level k={80, 112, 128, 160, 192, 256}.
– Do we need 160?
2 parameter sets at each level– “Binary”: lower bandwidth, less RAM
– “Product-form”: faster
Standard table of strengths– Note that SHA-160 is suitable as core of RNG up to 128-bit
security; 80-bit limit in table is for direct use as a hash function
– Captured in text, not in table.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Binary Parameter Sets
Parameter set k N d dm0 q O(q) c (F, g) c (r, m) T(L) r Tzf(L) adds size (bits)
ees251ep6 80 251 48 70 197 125 2.93 2.77 103.1 29 97.98 12048 2008
ees347ep2 112 347 66 108 269 173 2.94 2.83 143.9 31 138.26 22902 3033
ees397ep1 128 397 74 128 307 198 2.93 2.84 165.1 33 159.17 29378 3501
ees491ep1 160 491 91 167 367 490 2.98 2.90 205.0 35 198.75 44681 4383
ees587ep1 192 587 108 208 439 293 2.97 2.91 245.7 37 239.21 63396 5193
ees787ep1 256 787 140 294 587 393 2.95 2.91 330.6 41 323.45 110180 7690
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Product-form Parameter Sets
Parameter set k N d dm0 q O(q) c (F, g) c (r, m) T(L) r Tzf(L) adds size (bits)
ees251ep7 80 251 8 70 293 250 2.57 2.43 87.2 20 80.1 6024 2259
ees347ep3 112 347 11 108 541 173 2.31 2.22 117.8 16 118.7 11451 3370
ees397ep2 128 397 12 128 659 396 2.24 2.17 138.3 17 136.6 14292 3890
ees491ep2 160 491 14 167 967 490 2.08 2.02 171.3 16 170.1 22095 4870
ees587ep2 192 587 17 208 1229 293 2.02 1.97 203.3 14 204.6 29937 6347
ees787ep2 256 787 21 294 2027 393 1.78 1.73 278.1 14 276.7 51942 8459
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Signing Security Considerations
To be filled in.
Four main attacks– Brute force search on keyspace (square-rooted by combinatorial
methods)
– Lattice reduction attack on public key to recover private key (SVP)
– Brute force search on possible signature space to find signature (also square-rootable)
– Lattice reduction attack on public key and message to generate signature (CVP)
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Improved Lattice Security Allows Smaller N than for NTRUEncrypt
In standard lattice ((f g) (F G)), (f g) is short vector of length O(√N).
In transpose lattice, (f F) is short vector of length O(N).– Improved c by factor of √N?
Attacker can “balance” lattice so f & F are of same length, but changes determinant
– Improves ctranspose by factor of N1/4 compared to cstandard.
Increase N, hold d/N constant – combinatorial security increases exponentially– lattice security increases superexponentially
Note: LHS of signature is smaller than RHS; balance with balancing factor β.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
CVP
Difficulty of solving signature by lattice reduction linked to constant γ.
– γ = N/(σ * √(2N)). Norm bound … Divided by expected length of shortest vector… Scaled by 1/(√2N).
In this case, smaller γ = required to solve CVP “better” = harder lattice problem
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Signature Parameter Generation
Want to pick (N, d, q, beta, NB) s. t.– strength against all attacks is greater than k bits– performance is optimized
smallest public keys/bandwith fastest operations
Paper presents iterative process:– Loop through N, d, q– Calculate expected size of signature– Set NB = ρ * size of signature (ρ typically 1.1 – 1.25 – affects
chance of having to re-sign, essentially negligible for specified parameter sets)
– Check strength against specified attacks– Store all acceptable parameter sets: output one with best
performance using chosen metric.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Transcript Analysis
If message was random within ball of radius NormBound, transcript could not leak information
Transcript iss = d * f + D * F
– d, D are {-1/2, 1/2}N
– d, D slightly constrained: s must have integer coefficients.
Leaks information about geometry of lattice
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Signing with Perturbations
Message is (0, m); public basis is B0; b private bases B1 … Bb.
– Set (sb+1, tb+1) = (0, m).
For each private basis i in turn, i = b, b-1, … 1:
– Input point is (sb+1, tb+1)
– (si, ti) = result of solving appr-CVP in basis Bi on point (si+1, ti+1).
Signature is appr-CVP on (s1, t1) in B0.
Can implement this such that each private basis operation requires:
– 2 multiplies by (fi, Fi) (or (fi, gi) in transpose lattice)
– One multiply by hi.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
s = d * f + D * F– d, D are {-1/2, 1/2}N
First moment: s averages to 0– Subtranscripts don’t appear to help.
Second moment: Can find quantities that behave like norms (don’t average to 0)
– Define prev(X) = p(X-1) for any polynomial p if p = [f0, f1, f2, …], then prev = [f0, fN-1, fN-2, …]
– Constant coordinate of p * prev = p ¢ p = squared norm of p 0 Other coordinates are p dotted with its rotations
– s * srev will average to non-zero result.
Notation:– denote average of x by
Transcript Analysis
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
(f1,g1)(F1,G1)
NTRUSign with Perturbations
(F,G)
(f,g)
(s, t-m) -- without perturbations
(s, t-m) -- with perturbations
(F,G)
(f,g)
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Security Claim for Perturbations
Number of signatures required to recover private key = number required to converge on 6th moment
– = O(29d6)
– Highly conservative Could be that 8th moment is actually required Big-O constant is considerably more than 1.
In paper, take a single perturbation at each security level– Required transcript is > 109.
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Improved Parameter Sets
k: security level; d: f consists of d+1 +1s, d -1s, and (N-2d-1) 0s; \beta: signature normalization factor; Norm: how close you have to be for a signature to pass
\tau: attacker requires >> 2\tau signatures to recover private key.
k N d q \beta Norm \tau80 157 29 256 0.384 150.02 31.9112 197 28 256 0.514 206.91 32.2128 223 32 256 0.655 277.52 31.2160 263 45 512 0.315 276.53 34.9192 313 50 512 0.406 384.41 35.6256 349 75 512 0.185 368.62 38.9
STRONG security that fits everywhere.
NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005
Timetable
End of December: Complete Editorial Review and NTRUSign Security Considerations
January: Present to working group and request written comments
March: First WG vote, hopefully with comments resolved.
May?: Go into Sponsor Ballot