docUne preuve de sécurité pour le cryptosystème NTRU
download 
Plainte Transcription
Une preuve de sécurité pour le cryptosystème NTRU
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Une preuve de sécurité pour le cryptosystème
NTRU
Damien Stehlé et Ron Steinfeld
CNRS – ENS de Lyon
Macquarie University
Grenoble, Mai 2012
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
1/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRU cryptographic functions
NTRUEncrypt: A public-key encryption scheme.
1996: Proposed by Hoffstein, Pipher & Silverman.
1997: Improved lattice attacks by Coppersmith & Shamir.
1998: Revised by Hoffstein et al.
NTRUSign: A digital signature scheme.
2001: Hoffstein et al propose NSS.
2001 & 2002: Broken by Gentry, Jonsson, Stern & Szydlo.
2003: HoHGPiSiWh propose NTRUSign.
2003 & 2004: Many partial attacks.
2006: Total break of one of the two variants of NTRUSign,
by Nguyen & Regev.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
2/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRU cryptographic functions
NTRUEncrypt: A public-key encryption scheme.
1996: Proposed by Hoffstein, Pipher & Silverman.
1997: Improved lattice attacks by Coppersmith & Shamir.
1998: Revised by Hoffstein et al.
NTRUSign: A digital signature scheme.
2001: Hoffstein et al propose NSS.
2001 & 2002: Broken by Gentry, Jonsson, Stern & Szydlo.
2003: HoHGPiSiWh propose NTRUSign.
2003 & 2004: Many partial attacks.
2006: Total break of one of the two variants of NTRUSign,
by Nguyen & Regev.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
2/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Why studying NTRUEncrypt?
Standardized & commercialized.
Super-fast (comparison to 1024-bit RSA, based on an NTRU brochure):
Encryption ∼ 10 times faster.
Decryption ∼ 100 times faster.
e
e 6 ), for security 2λ .
Asymptotically: O(λ)
versus O(λ
Interesting security features:
Does not rely on the hardness of Int-Fac or DLog.
Seems to resist practical attacks.
Seems to resist quantum attacks.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
3/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Why studying NTRUEncrypt?
Standardized & commercialized.
Super-fast (comparison to 1024-bit RSA, based on an NTRU brochure):
Encryption ∼ 10 times faster.
Decryption ∼ 100 times faster.
e
e 6 ), for security 2λ .
Asymptotically: O(λ)
versus O(λ
Interesting security features:
Does not rely on the hardness of Int-Fac or DLog.
Seems to resist practical attacks.
Seems to resist quantum attacks.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
3/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Our main result
An IND-CPA variant of NTRUEncrypt
It is possible to modify NTRUEncrypt so that:
e
Encryption and decryption of λ bits still cost O(λ).
Any semantic attack with run-time T leads to a Poly (n, T )
quantum algorithm for Poly (n)-Ideal-SVP.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
4/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Our main result
An IND-CPA variant of NTRUEncrypt
It is possible to modify NTRUEncrypt so that:
e
Encryption and decryption of λ bits still cost O(λ).
Any semantic attack with run-time T leads to a Poly (n, T )
quantum algorithm for Poly (n)-Ideal-SVP.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
4/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Our main result
An IND-CPA variant of NTRUEncrypt
It is possible to modify NTRUEncrypt so that:
e
Encryption and decryption of λ bits still cost O(λ).
Any semantic attack with run-time T leads to a Poly (n, T )
quantum algorithm for Poly (n)-Ideal-SVP.
Semantic security (IND-CPA): Given the public parameters,
the attacker cannot distinguish between the encryptions of
two plaintexts of his choice.
Similar result for NTRUSign, in the random oracle model and
with a non-quantum security proof.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
4/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Outline of the talk
1- Regular NTRUEncrypt.
2- The Ideal-SVP and R-LWE problems.
3- The modified NTRUEncrypt.
4- Modifying NTRUSign.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
5/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z
Take Φ ∈ Z[x] monic of degree n.
h
i
R Φ := Z[x]/(Φ), +, × .
Interesting Φ’s:
Φ = x n − 1 → R −,
Φ = x n + 1 → R +.
x n + 1 irreducible if n is a power of 2.
In this case, R Φ is isomorphic to the ring of integers of the
cyclotomic number field:
Q[eiπ/n ] ' Q[x]/(Φ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
6/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z
Take Φ ∈ Z[x] monic of degree n.
h
i
R Φ := Z[x]/(Φ), +, × .
Interesting Φ’s:
Φ = x n − 1 → R −,
Φ = x n + 1 → R +.
x n + 1 irreducible if n is a power of 2.
In this case, R Φ is isomorphic to the ring of integers of the
cyclotomic number field:
Q[eiπ/n ] ' Q[x]/(Φ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
6/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z
Take Φ ∈ Z[x] monic of degree n.
h
i
R Φ := Z[x]/(Φ), +, × .
Interesting Φ’s:
Φ = x n − 1 → R −,
Φ = x n + 1 → R +.
x n + 1 irreducible if n is a power of 2.
In this case, R Φ is isomorphic to the ring of integers of the
cyclotomic number field:
Q[eiπ/n ] ' Q[x]/(Φ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
6/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z/qZ
Let q ≥ 2 and Zq = Z/qZ.
h
i
RqΦ := Zq [x]/(Φ), +, × = R Φ /(q) = Z[x]/(Φ, q).
e log q).
Arithmetic in RqΦ costs O(n
Rq− and Rq+ defined similarly.
If Φ = x n ± 1 has n distinct linear factors modulo prime q,
then RqΦ comes with a natural FFT.
The key to decryption correctness
If f ∈ R Φ has coefficients in (−q/2, q/2), then (f mod q) is f .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
7/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z/qZ
Let q ≥ 2 and Zq = Z/qZ.
h
i
RqΦ := Zq [x]/(Φ), +, × = R Φ /(q) = Z[x]/(Φ, q).
e log q).
Arithmetic in RqΦ costs O(n
Rq− and Rq+ defined similarly.
If Φ = x n ± 1 has n distinct linear factors modulo prime q,
then RqΦ comes with a natural FFT.
The key to decryption correctness
If f ∈ R Φ has coefficients in (−q/2, q/2), then (f mod q) is f .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
7/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z/qZ
Let q ≥ 2 and Zq = Z/qZ.
h
i
RqΦ := Zq [x]/(Φ), +, × = R Φ /(q) = Z[x]/(Φ, q).
e log q).
Arithmetic in RqΦ costs O(n
Rq− and Rq+ defined similarly.
If Φ = x n ± 1 has n distinct linear factors modulo prime q,
then RqΦ comes with a natural FFT.
The key to decryption correctness
If f ∈ R Φ has coefficients in (−q/2, q/2), then (f mod q) is f .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
7/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Polynomial Rings: Generalizing Z/qZ
Let q ≥ 2 and Zq = Z/qZ.
h
i
RqΦ := Zq [x]/(Φ), +, × = R Φ /(q) = Z[x]/(Φ, q).
e log q).
Arithmetic in RqΦ costs O(n
Rq− and Rq+ defined similarly.
If Φ = x n ± 1 has n distinct linear factors modulo prime q,
then RqΦ comes with a natural FFT.
The key to decryption correctness
If f ∈ R Φ has coefficients in (−q/2, q/2), then (f mod q) is f .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
7/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part I
Parameters: n prime, q ≈ n a power of 2.
E.g.: (n, q) = (503, 256).
Secret key sk: f , g ∈ R − such that:
f is invertible mod q and mod 3.
The coeffs of f and g are in {−1, 0, 1}.
Public key pk: h = g /f mod q.
Security intuition
Given h ∈ Rq , finding g , f ∈ R small s.t. h = g /f [q] is hard.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
8/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part I
Parameters: n prime, q ≈ n a power of 2.
E.g.: (n, q) = (503, 256).
Secret key sk: f , g ∈ R − such that:
f is invertible mod q and mod 3.
The coeffs of f and g are in {−1, 0, 1}.
Public key pk: h = g /f mod q.
Security intuition
Given h ∈ Rq , finding g , f ∈ R small s.t. h = g /f [q] is hard.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
8/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part I
Parameters: n prime, q ≈ n a power of 2.
E.g.: (n, q) = (503, 256).
Secret key sk: f , g ∈ R − such that:
f is invertible mod q and mod 3.
The coeffs of f and g are in {−1, 0, 1}.
Public key pk: h = g /f mod q.
Security intuition
Given h ∈ Rq , finding g , f ∈ R small s.t. h = g /f [q] is hard.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
8/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part I
Parameters: n prime, q ≈ n a power of 2.
E.g.: (n, q) = (503, 256).
Secret key sk: f , g ∈ R − such that:
f is invertible mod q and mod 3.
The coeffs of f and g are in {−1, 0, 1}.
Public key pk: h = g /f mod q.
Security intuition
Given h ∈ Rq , finding g , f ∈ R small s.t. h = g /f [q] is hard.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
8/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part II
sk: f , g ∈ R small with f invertible mod q and mod 3.
pk: h = g /f mod q.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
9/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part II
sk: f , g ∈ R small with f invertible mod q and mod 3.
pk: h = g /f mod q.
Encryption of M ∈ {0, 1}[x]/(x n − 1):
Sample s ∈ Rq− with coeffs in {−1, 0, 1},
Return C := 3hs + M mod q.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
9/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part II
sk: f , g ∈ R small with f invertible mod q and mod 3.
pk: h = g /f mod q.
Encryption of M ∈ {0, 1}[x]/(x n − 1):
Sample s ∈ Rq− with coeffs in {−1, 0, 1},
Return C := 3hs + M mod q.
Decryption of C ∈ Rq− :
f × C = 3gs + fM mod q.
g , M, f , s small ⇒ equality holds over R − .
(f × C mod q) mod 3 = fM mod 3.
Multiply by the inverse of f mod 3.
Security intuition
Given C ∈ Rq , finding M, s ∈ R small s.t. C = 3hs + M [q] is hard.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
9/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Description of NTRUEncrypt, Part II
sk: f , g ∈ R small with f invertible mod q and mod 3.
pk: h = g /f mod q.
Encryption of M ∈ {0, 1}[x]/(x n − 1):
Sample s ∈ Rq− with coeffs in {−1, 0, 1},
Return C := 3hs + M mod q.
Decryption of C ∈ Rq− :
f × C = 3gs + fM mod q.
g , M, f , s small ⇒ equality holds over R − .
(f × C mod q) mod 3 = fM mod 3.
Multiply by the inverse of f mod 3.
Security intuition
Given C ∈ Rq , finding M, s ∈ R small s.t. C = 3hs + M [q] is hard.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
9/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Outline of the talk
1- Regular NTRUEncrypt.
2- The Ideal-SVP and R-LWE problems.
3- The modified NTRUEncrypt.
4- Modifying NTRUSign.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
10/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Ideals in R Φ
I ⊆ R Φ is an ideal if:
∀a, b ∈ I , ∀r ∈ R Φ : a + b · r ∈ I .
Let’s identify polynomials to vectors via their coefficients:
PR
Φ
i<n fi
xi
→
Zn
7
→
(f0 , . . . , fn−1 )t
Ideal I is mapped to an integer lattice.
A Φ-ideal lattice is a lattice corresponding to an ideal of R Φ .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
11/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Ideals in R Φ
I ⊆ R Φ is an ideal if:
∀a, b ∈ I , ∀r ∈ R Φ : a + b · r ∈ I .
Let’s identify polynomials to vectors via their coefficients:
PR
Φ
i<n fi
xi
→
Zn
7
→
(f0 , . . . , fn−1 )t
Ideal I is mapped to an integer lattice.
A Φ-ideal lattice is a lattice corresponding to an ideal of R Φ .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
11/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Ideals in R Φ
I ⊆ R Φ is an ideal if:
∀a, b ∈ I , ∀r ∈ R Φ : a + b · r ∈ I .
Let’s identify polynomials to vectors via their coefficients:
PR
Φ
i<n fi
xi
→
Zn
7
→
(f0 , . . . , fn−1 )t
Ideal I is mapped to an integer lattice.
A Φ-ideal lattice is a lattice corresponding to an ideal of R Φ .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
11/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
(Integral) lattices and the Shortest Vector Problem
P
Lattice ≡ { i≤n xi bi : xi ∈ Z},
for some lin. independent bi ’s.
Minimum: λ = min(kbk : b ∈ L \ 0).
γ-SVP (computational variant)
Find b ∈ L with: 0 < kbk ≤ γ · λ(L).
No known sub-exp. algo. for γ = Poly (n).
γ-Ideal-SVP:
γ-SVP restricted to Φ-ideal lattices.
Does not seem easier than SVP.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
12/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
(Integral) lattices and the Shortest Vector Problem
P
Lattice ≡ { i≤n xi bi : xi ∈ Z},
for some lin. independent bi ’s.
Minimum: λ = min(kbk : b ∈ L \ 0).
γ-SVP (computational variant)
Find b ∈ L with: 0 < kbk ≤ γ · λ(L).
No known sub-exp. algo. for γ = Poly (n).
γ-Ideal-SVP:
γ-SVP restricted to Φ-ideal lattices.
Does not seem easier than SVP.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
12/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
(Integral) lattices and the Shortest Vector Problem
P
Lattice ≡ { i≤n xi bi : xi ∈ Z},
for some lin. independent bi ’s.
Minimum: λ = min(kbk : b ∈ L \ 0).
γ-SVP (computational variant)
Find b ∈ L with: 0 < kbk ≤ γ · λ(L).
No known sub-exp. algo. for γ = Poly (n).
γ-Ideal-SVP:
γ-SVP restricted to Φ-ideal lattices.
Does not seem easier than SVP.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
12/33
Introduction
Regular NTRUEncrypt
The R-LWE problem
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
[LyPeRe’10]
A couple of distributions:
The noise distribution. For α > 0, we define να as
the n-dimensional normal law of standard deviation α,
rounded to Zn and interpreted as an element of R + .
The R-LWE distribution. We define Dα as the distribution
obtained as follows:
Sample a ←- U(Rq+ ), s ←- να , e ←- να ,
Return (a, as + e) ∈ Rq+ × Rq+ .
R-LWEq,α (Decisional variant with one sample)
Tell whether a given (a, b) is sampled from Dα or U(Rq+ × Rq+ ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
13/33
Introduction
Regular NTRUEncrypt
The R-LWE problem
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
[LyPeRe’10]
A couple of distributions:
The noise distribution. For α > 0, we define να as
the n-dimensional normal law of standard deviation α,
rounded to Zn and interpreted as an element of R + .
The R-LWE distribution. We define Dα as the distribution
obtained as follows:
Sample a ←- U(Rq+ ), s ←- να , e ←- να ,
Return (a, as + e) ∈ Rq+ × Rq+ .
R-LWEq,α (Decisional variant with one sample)
Tell whether a given (a, b) is sampled from Dα or U(Rq+ × Rq+ ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
13/33
Introduction
Regular NTRUEncrypt
R-LWE is hard
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
[LyPeRe’10]
R-LWEq,α
Tell whether a given (a, b) is sampled from Dα or U(Rq+ × Rq+ ).
R-LWE is no easier than Poly (n)-Ideal-SVP
Take q = Poly (n) with q = 1 mod 2n, and α = q/Poly (n).
Solving R-LWEq,α with non-negligible advantage is computationally
infeasible, assuming the quantum hardness of Poly (n)-Ideal-SVP.
e
Sampling from να costs O(n).
Samples from να are small with very high probability:
√
their Euclidean norms are ≤ n · α with probability ≥ 1 − 2−n .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
14/33
Introduction
Regular NTRUEncrypt
R-LWE is hard
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
[LyPeRe’10]
R-LWEq,α
Tell whether a given (a, b) is sampled from Dα or U(Rq+ × Rq+ ).
R-LWE is no easier than Poly (n)-Ideal-SVP
Take q = Poly (n) with q = 1 mod 2n, and α = q/Poly (n).
Solving R-LWEq,α with non-negligible advantage is computationally
infeasible, assuming the quantum hardness of Poly (n)-Ideal-SVP.
e
Sampling from να costs O(n).
Samples from να are small with very high probability:
√
their Euclidean norms are ≤ n · α with probability ≥ 1 − 2−n .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
14/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Outline of the talk
1- Regular NTRUEncrypt.
2- The Ideal-SVP and R-LWE problems.
3- The modified NTRUEncrypt.
4- Modifying NTRUSign.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
15/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Some intuition
NTRUEncrypt:
pk: h = g /f ∈ Rq− with f , g small.
Enc: M 7→ 3hs + M mod q, where s is small.
IND-CPA: we would like (h, 3hs) to be pseudo-random.
It’s not! Divide RHS by h and check for smallness.
R-LWE hardness:
(a, as + e) ≈c U(Rq+ × Rq+ ), where a ←- U(Rq+ ), s, e ←- να .
Let’s change rings and replace “(h, hs)” by “(a, as + e)”!
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
16/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Some intuition
NTRUEncrypt:
pk: h = g /f ∈ Rq− with f , g small.
Enc: M 7→ 3hs + M mod q, where s is small.
IND-CPA: we would like (h, 3hs) to be pseudo-random.
It’s not! Divide RHS by h and check for smallness.
R-LWE hardness:
(a, as + e) ≈c U(Rq+ × Rq+ ), where a ←- U(Rq+ ), s, e ←- να .
Let’s change rings and replace “(h, hs)” by “(a, as + e)”!
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
16/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Some intuition
NTRUEncrypt:
pk: h = g /f ∈ Rq− with f , g small.
Enc: M 7→ 3hs + M mod q, where s is small.
IND-CPA: we would like (h, 3hs) to be pseudo-random.
It’s not! Divide RHS by h and check for smallness.
R-LWE hardness:
(a, as + e) ≈c U(Rq+ × Rq+ ), where a ←- U(Rq+ ), s, e ←- να .
Let’s change rings and replace “(h, hs)” by “(a, as + e)”!
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
16/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Some intuition
NTRUEncrypt:
pk: h = g /f ∈ Rq− with f , g small.
Enc: M 7→ 3hs + M mod q, where s is small.
IND-CPA: we would like (h, 3hs) to be pseudo-random.
It’s not! Divide RHS by h and check for smallness.
R-LWE hardness:
(a, as + e) ≈c U(Rq+ × Rq+ ), where a ←- U(Rq+ ), s, e ←- να .
Let’s change rings and replace “(h, hs)” by “(a, as + e)”!
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
16/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Is it that simple?
Enc: M 7→ 3hs + M mod q, where s is small.
R-LWE: (a, as + e), where a ←- U(Rq+ ), s, e ←- να .
Changing rings and replacing “(h, hs)” by “(a, as + e)”?
Good news:
s, e are small ⇒ decryption still works.
q prime ⇒ multiplying by p = 3 preserves pseudo-randomness.
Everything remains (asymptotically) efficient.
The catch:
Relying on R-LWE requires h uniform in Rq+ .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
17/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Is it that simple?
Enc: M 7→ 3hs + M mod q, where s is small.
R-LWE: (a, as + e), where a ←- U(Rq+ ), s, e ←- να .
Changing rings and replacing “(h, hs)” by “(a, as + e)”?
Good news:
s, e are small ⇒ decryption still works.
q prime ⇒ multiplying by p = 3 preserves pseudo-randomness.
Everything remains (asymptotically) efficient.
The catch:
Relying on R-LWE requires h uniform in Rq+ .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
17/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Is it that simple?
Enc: M 7→ 3hs + M mod q, where s is small.
R-LWE: (a, as + e), where a ←- U(Rq+ ), s, e ←- να .
Changing rings and replacing “(h, hs)” by “(a, as + e)”?
Good news:
s, e are small ⇒ decryption still works.
q prime ⇒ multiplying by p = 3 preserves pseudo-randomness.
Everything remains (asymptotically) efficient.
The catch:
Relying on R-LWE requires h uniform in Rq+ .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
17/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The modified scheme
Parameters: n prime, q ≈ n a power of 2.
Key generation:
sk: f , g ∈ R − with:
f invertible mod q and 3.
Coeffs of f and g in {−1, 0, 1}.
pk: h = g /f mod q.
Encryption of M ∈ {0, 1}[x]/(x n − 1):
C := 3hs + M mod q, with coeffs of s in {−1, 0, 1}.
Decryption of C ∈ Rq− :
f × C mod q = 3gs + fM.
(f × C mod q) mod 3 = fM mod 3.
Multiply by the inverse of f mod 3.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
18/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The modified scheme
Parameters: n a power of 2, q = Poly (n) prime s.t. q = 1 [2n].
Key generation:
sk: f , g ∈ R + with:
f invertible mod q and 2.
√
Coeffs of f and g of magnitude ≈ q.
pk: h = g /f mod q.
Encryption of M ∈ {0, 1}[x]/(x n +1):
C := 2(hs + e) + M mod q, with s, e ←- να .
Decryption of C ∈ Rq+ :
f × C mod q = 2(gs + fe) + fM.
(f × C mod q) mod 2 = fM mod 2.
Multiply by the inverse of f mod 2.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
18/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making h = g /f statistically close to uniform
We want h uniform while having f and g with small coeffs.
√
If we want a chance, we need the magnitudes to be ≥ q.
The distribution Dσ× used for f and g
1
Sample f from the discrete Gaussian DZn ,σ , using [GePeVa’08]:
kxk2
∀x ∈ Z , DZn ,σ [x] ∼ exp −π 2
.
σ
n
2
If f is not invertible in Rq+ , restart.
It’s a discrete Gaussian with a non-lattice support.
We also want f invertible mod 2: handled by tweaking Dσ× .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
19/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making h = g /f statistically close to uniform
We want h uniform while having f and g with small coeffs.
√
If we want a chance, we need the magnitudes to be ≥ q.
The distribution Dσ× used for f and g
1
Sample f from the discrete Gaussian DZn ,σ , using [GePeVa’08]:
kxk2
∀x ∈ Z , DZn ,σ [x] ∼ exp −π 2
.
σ
n
2
If f is not invertible in Rq+ , restart.
It’s a discrete Gaussian with a non-lattice support.
We also want f invertible mod 2: handled by tweaking Dσ× .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
19/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making h = g /f statistically close to uniform
We want h uniform while having f and g with small coeffs.
√
If we want a chance, we need the magnitudes to be ≥ q.
The distribution Dσ× used for f and g
1
Sample f from the discrete Gaussian DZn ,σ , using [GePeVa’08]:
kxk2
∀x ∈ Z , DZn ,σ [x] ∼ exp −π 2
.
σ
n
2
If f is not invertible in Rq+ , restart.
It’s a discrete Gaussian with a non-lattice support.
We also want f invertible mod 2: handled by tweaking Dσ× .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
19/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making h = g /f statistically close to uniform
Our main technical contribution
e · q 12 +ε ) with ε > 0, then:
If σ = Ω(n
×
Dσ
×
∆
mod q , U(Rq ) ≤ q −Ω(ε·n) ,
Dσ×
P
where ∆(D1 , D2 ) = 21 t |D1 (t) − D2 (t)| is the stat. distance.
√
If f ←- Dσ× , then kf k ≤ σ n, with overwhelming probability.
We don’t get uniformity in Rq but only in Rq× .
R-LWE is still hard if h is restricted to U(Rq× ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
20/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making h = g /f statistically close to uniform
Our main technical contribution
e · q 12 +ε ) with ε > 0, then:
If σ = Ω(n
×
Dσ
×
∆
mod q , U(Rq ) ≤ q −Ω(ε·n) ,
Dσ×
P
where ∆(D1 , D2 ) = 21 t |D1 (t) − D2 (t)| is the stat. distance.
√
If f ←- Dσ× , then kf k ≤ σ n, with overwhelming probability.
We don’t get uniformity in Rq but only in Rq× .
R-LWE is still hard if h is restricted to U(Rq× ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
20/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making h = g /f statistically close to uniform
Our main technical contribution
e · q 12 +ε ) with ε > 0, then:
If σ = Ω(n
×
Dσ
×
∆
mod q , U(Rq ) ≤ q −Ω(ε·n) ,
Dσ×
P
where ∆(D1 , D2 ) = 21 t |D1 (t) − D2 (t)| is the stat. distance.
√
If f ←- Dσ× , then kf k ≤ σ n, with overwhelming probability.
We don’t get uniformity in Rq but only in Rq× .
R-LWE is still hard if h is restricted to U(Rq× ).
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
20/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Proving uniformity in two steps
Step 1: We show that if ai ←- U(Rq× ) and ti ←- Dσ :
∆ (a1 , a2 , t1 a1 +
t2 a2 ); U(Rq×
×
Rq×
× Rq )
≤ q −Ω(εn) .
Step 2: We observe that for a = −a2 /a1 :
Pr [t1 /t2 = a [q]] = Pr [a1 t1 + a2 t2 = 0 [q]],
t1 ,t2
t1 ,t2
where the ti ’s are from Dσ× .
Step 2 would be easy if the ti ’s were sampled from a lattice.
But {x ∈ Zn , x ∈ Rq× } is not a lattice.
Handled by inclusion-exclusion, involving the ideals of Rq .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
21/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Proving uniformity in two steps
Step 1: We show that if ai ←- U(Rq× ) and ti ←- Dσ :
∆ (a1 , a2 , t1 a1 +
t2 a2 ); U(Rq×
×
Rq×
× Rq )
≤ q −Ω(εn) .
Step 2: We observe that for a = −a2 /a1 :
Pr [t1 /t2 = a [q]] = Pr [a1 t1 + a2 t2 = 0 [q]],
t1 ,t2
t1 ,t2
where the ti ’s are from Dσ× .
Step 2 would be easy if the ti ’s were sampled from a lattice.
But {x ∈ Zn , x ∈ Rq× } is not a lattice.
Handled by inclusion-exclusion, involving the ideals of Rq .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
21/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Proving uniformity in two steps
Step 1: We show that if ai ←- U(Rq× ) and ti ←- Dσ :
∆ (a1 , a2 , t1 a1 +
t2 a2 ); U(Rq×
×
Rq×
× Rq )
≤ q −Ω(εn) .
Step 2: We observe that for a = −a2 /a1 :
Pr [t1 /t2 = a [q]] = Pr [a1 t1 + a2 t2 = 0 [q]],
t1 ,t2
t1 ,t2
where the ti ’s are from Dσ× .
Step 2 would be easy if the ti ’s were sampled from a lattice.
But {x ∈ Zn , x ∈ Rq× } is not a lattice.
Handled by inclusion-exclusion, involving the ideals of Rq .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
21/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Proving uniformity in two steps
Step 1: We show that if ai ←- U(Rq× ) and ti ←- Dσ :
∆ (a1 , a2 , t1 a1 +
t2 a2 ); U(Rq×
×
Rq×
× Rq )
≤ q −Ω(εn) .
Step 2: We observe that for a = −a2 /a1 :
Pr [t1 /t2 = a [q]] = Pr [a1 t1 + a2 t2 = 0 [q]],
t1 ,t2
t1 ,t2
where the ti ’s are from Dσ× .
Step 2 would be easy if the ti ’s were sampled from a lattice.
But {x ∈ Zn , x ∈ Rq× } is not a lattice.
Handled by inclusion-exclusion, involving the ideals of Rq .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
21/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Outline of the talk
1- Regular NTRUEncrypt.
2- The Ideal-SVP and R-LWE problems.
3- The modified NTRUEncrypt.
4- Modifying NTRUSign.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
22/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRU lattice
Recall that R = Z[x]/(x n + 1) and Rq = Zq [x]/(x n + 1).
Given h = g /f ∈ Rq , we consider the lattice spanned by:
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
23/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Conclusion
Securing NTRUSign
The NTRU lattice
Recall that R = Z[x]/(x n + 1) and Rq = Zq [x]/(x n + 1).
Given h = g /f ∈ Rq , we consider the lattice spanned by:
1
0
..
.
0
1
..
.
0
1 0
0
=
h0 −hn−1
h q
h1
h0
..
..
.
.
hn−1 hn−2
Damien Stehlé
...
...
..
.
0
0
..
.
...
1
. . . −h1
. . . −h2
..
..
.
.
. . . h0
0
0
..
.
0
0
..
.
...
...
..
.
0
0
..
.
0
q
0
..
.
0
0
q
..
.
...
...
...
..
.
0
0
0
..
.
0
0
...
q
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
23/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRU R-module/Z-lattice
Matrix +/× are consistent with +/× in ring R:
1 0
f
f
·
=
.
f · h mod q
h q
Secret key (f , g )t is a short lattice vector of:
1
h
0
q
L = R·
+R ·
x1
2
⊆
∈ R : hx1 + x2 = 0 [q] .
x2
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
24/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRU R-module/Z-lattice
Matrix +/× are consistent with +/× in ring R:
1 0
f
f
·
=
.
f · h mod q
h q
Secret key (f , g )t is a short lattice vector of:
1
h
0
q
L = R·
+R ·
x1
2
⊆
∈ R : hx1 + x2 = 0 [q] .
x2
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
24/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
NTRUSign
Assume we have a small module basis of L:
1 0
f F
·U =
, for some U ∈ GL2 (R).
h q
g G
NTRUSign follows the hash-and-sign paradigm:
Public key: h; secret key: small module basis.
To sign M, use sk to get s1 , s2 ∈ R small with
hs1 + s2 = H(M) [q].
To verify (M, s1 , s2 ): check
hs1 + s2 = H(M) [q] and ks1 k, ks2 k small.
Security based on a variant of R-LWE, in the random oracle model.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
25/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
NTRUSign
Assume we have a small module basis of L:
1 0
f F
·U =
, for some U ∈ GL2 (R).
h q
g G
NTRUSign follows the hash-and-sign paradigm:
Public key: h; secret key: small module basis.
To sign M, use sk to get s1 , s2 ∈ R small with
hs1 + s2 = H(M) [q].
To verify (M, s1 , s2 ): check
hs1 + s2 = H(M) [q] and ks1 k, ks2 k small.
Security based on a variant of R-LWE, in the random oracle model.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
25/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
NTRUSign
Assume we have a small module basis of L:
1 0
f F
·U =
, for some U ∈ GL2 (R).
h q
g G
NTRUSign follows the hash-and-sign paradigm:
Public key: h; secret key: small module basis.
To sign M, use sk to get s1 , s2 ∈ R small with
hs1 + s2 = H(M) [q].
To verify (M, s1 , s2 ): check
hs1 + s2 = H(M) [q] and ks1 k, ks2 k small.
Security based on a variant of R-LWE, in the random oracle model.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
25/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Two problems with NTRUSign
Public key: h; secret key: small module basis.
To sign M, use sk to get s1 , s2 ∈ R small with hs1 + s2 = H(M) [q].
Problem 1: The “perturbations”.
Choose t1 , t2 with ht1 + t2 = H(M) [q], and then
perturb (t1 , t2 ) by a random lattice point.
No perturbation ⇒ secret key is revealed [NgRe’08].
⇒ Fixed by using a discrete Gaussian [GePeVa’08,Peikert’10].
Problem 2: The key-pair.
NTRU’s extension of short vector to short basis is heuristic . . .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
26/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Two problems with NTRUSign
Public key: h; secret key: small module basis.
To sign M, use sk to get s1 , s2 ∈ R small with hs1 + s2 = H(M) [q].
Problem 1: The “perturbations”.
Choose t1 , t2 with ht1 + t2 = H(M) [q], and then
perturb (t1 , t2 ) by a random lattice point.
No perturbation ⇒ secret key is revealed [NgRe’08].
⇒ Fixed by using a discrete Gaussian [GePeVa’08,Peikert’10].
Problem 2: The key-pair.
NTRU’s extension of short vector to short basis is heuristic . . .
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
26/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Remaining difficulty: getting a small module basis
We have h, f , g such that:
h is (essentially) uniform in Rq× .
(f , g )t is a small non-zero vector in the module spanned by:
1 0
h q
We want to find F , G s.t.:
1 0
f F
·U =
, for some U ∈ GL2 (R).
h q
g G
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
27/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Remaining difficulty: getting a small module basis
We have h, f , g such that:
h is (essentially) uniform in Rq× .
(f , g )t is a small non-zero vector in the module spanned by:
1 0
h q
We want to find F , G s.t.:
1 0
f F
·U =
, for some U ∈ GL2 (R).
h q
g G
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
27/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRUSign secret key extension procedure
1
It is likely that f and g are coprime in R.
∃u1 , u2 ∈ R, u1 f + u2 g = 1.
2
3
4
Take Fq = qu2 and Gq = −qu1 .
f Fq
is a basis of the NTRU module.
g Gq
Make it small by reducing the second vector wrt the first one:
m
j
hb1 ,b2 i
b1 ,
b2 := b2 − hb
1 ,b1 i
with h·, ·i and b·c taken over R.
This procedure is efficient, but heuristic because of Step 1.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
28/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRUSign secret key extension procedure
1
It is likely that f and g are coprime in R.
∃u1 , u2 ∈ R, u1 f + u2 g = 1.
2
3
4
Take Fq = qu2 and Gq = −qu1 .
f Fq
is a basis of the NTRU module.
g Gq
Make it small by reducing the second vector wrt the first one:
m
j
hb1 ,b2 i
b1 ,
b2 := b2 − hb
1 ,b1 i
with h·, ·i and b·c taken over R.
This procedure is efficient, but heuristic because of Step 1.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
28/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRUSign secret key extension procedure
1
It is likely that f and g are coprime in R.
∃u1 , u2 ∈ R, u1 f + u2 g = 1.
2
3
4
Take Fq = qu2 and Gq = −qu1 .
f Fq
is a basis of the NTRU module.
g Gq
Make it small by reducing the second vector wrt the first one:
m
j
hb1 ,b2 i
b1 ,
b2 := b2 − hb
1 ,b1 i
with h·, ·i and b·c taken over R.
This procedure is efficient, but heuristic because of Step 1.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
28/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The NTRUSign secret key extension procedure
1
It is likely that f and g are coprime in R.
∃u1 , u2 ∈ R, u1 f + u2 g = 1.
2
3
4
Take Fq = qu2 and Gq = −qu1 .
f Fq
is a basis of the NTRU module.
g Gq
Make it small by reducing the second vector wrt the first one:
m
j
hb1 ,b2 i
b1 ,
b2 := b2 − hb
1 ,b1 i
with h·, ·i and b·c taken over R.
This procedure is efficient, but heuristic because of Step 1.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
28/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making the NTRUSign secret key extension rigorous
Is it likely that f and g are coprime in R?
In our case, f , g ←- Dσ× .
Two “random” integers are coprime with prob. 1/ζ(2), where
ζ(2) =
X 1
π2
.
=
p2
6
k∈Z
We adapt this to R and Dσ : if σ is large enough, the
probability that f , g ←- Dσ are coprime is:
≥
1
where ζR (2) :=
2ζR (2)
1
= O(1).
(det I )2
X
I
ideal of
R
Moving from Dσ to Dσ× is easy.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
29/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making the NTRUSign secret key extension rigorous
Is it likely that f and g are coprime in R?
In our case, f , g ←- Dσ× .
Two “random” integers are coprime with prob. 1/ζ(2), where
ζ(2) =
X 1
π2
.
=
p2
6
k∈Z
We adapt this to R and Dσ : if σ is large enough, the
probability that f , g ←- Dσ are coprime is:
≥
1
where ζR (2) :=
2ζR (2)
1
= O(1).
(det I )2
X
I
ideal of
R
Moving from Dσ to Dσ× is easy.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
29/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making the NTRUSign secret key extension rigorous
Is it likely that f and g are coprime in R?
In our case, f , g ←- Dσ× .
Two “random” integers are coprime with prob. 1/ζ(2), where
ζ(2) =
X 1
π2
.
=
p2
6
k∈Z
We adapt this to R and Dσ : if σ is large enough, the
probability that f , g ←- Dσ are coprime is:
≥
1
where ζR (2) :=
2ζR (2)
1
= O(1).
(det I )2
X
I
ideal of
R
Moving from Dσ to Dσ× is easy.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
29/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making the NTRUSign secret key extension rigorous
Is it likely that f and g are coprime in R?
In our case, f , g ←- Dσ× .
Two “random” integers are coprime with prob. 1/ζ(2), where
ζ(2) =
X 1
π2
.
=
p2
6
k∈Z
We adapt this to R and Dσ : if σ is large enough, the
probability that f , g ←- Dσ are coprime is:
≥
1
where ζR (2) :=
2ζR (2)
1
= O(1).
(det I )2
X
I
ideal of
R
Moving from Dσ to Dσ× is easy.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
29/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Making the NTRUSign secret key extension rigorous
Is it likely that f and g are coprime in R?
In our case, f , g ←- Dσ× .
Two “random” integers are coprime with prob. 1/ζ(2), where
ζ(2) =
X 1
π2
.
=
p2
6
k∈Z
We adapt this to R and Dσ : if σ is large enough, the
probability that f , g ←- Dσ are coprime is:
≥
1
where ζR (2) :=
2ζR (2)
1
= O(1).
(det I )2
X
I
ideal of
R
Moving from Dσ to Dσ× is easy.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
29/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
The modified NTRUSign key generation procedure
1
Sample f , g from Dσ× .
2
If f , g are not co-prime in R, restart.
3
Public key: h = g /f [q].
4
Get secret key using NTRU’s key extension procedure.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
30/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Outline of the talk
1- Regular NTRUEncrypt.
2- The Ideal-SVP and R-LWE problems.
3- The modified NTRUEncrypt.
4- Modifying NTRUSign.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
31/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
What’s the interest of this result?
What we prove:
There are variants of NTRUEncrypt and NTRUSign that are
secure under the assumption that Poly (n)-Ideal-SVP is hard.
They’re asymptotically as efficient as the original schemes.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
32/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
What’s the interest of this result?
What we prove:
There are variants of NTRUEncrypt and NTRUSign that are
secure under the assumption that Poly (n)-Ideal-SVP is hard.
They’re asymptotically as efficient as the original schemes.
It does not mean we should blindly move to the provable variants:
They are most likely less practical.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
32/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
What’s the interest of this result?
What we prove:
There are variants of NTRUEncrypt and NTRUSign that are
secure under the assumption that Poly (n)-Ideal-SVP is hard.
They’re asymptotically as efficient as the original schemes.
It does not mean we should blindly move to the provable variants:
They are most likely less practical.
What it means:
The general design of NTRUEncrypt is sound.
It hints that we could
replace hs by hs + e, to thwart trivial semantic attacks.
take less small coeffs for f , g , s, e, to improve security.
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
32/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Work in progress and open problems
X A provably IND-CCA variant of NTRUEncrypt.
What about practice?
Which optimisations do not lower security?
What are the limits of the best known practical attacks? How
do we extrapolate these limits to reach given security levels?
Is Poly (n)-Ideal-SVP really so hard?
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
33/33
Introduction
Regular NTRUEncrypt
Ring-LWE
Securing NTRUEncrypt
Securing NTRUSign
Conclusion
Work in progress and open problems
X A provably IND-CCA variant of NTRUEncrypt.
What about practice?
Which optimisations do not lower security?
What are the limits of the best known practical attacks? How
do we extrapolate these limits to reach given security levels?
Is Poly (n)-Ideal-SVP really so hard?
Damien Stehlé
Une preuve de sécurité pour le cryptosystème NTRU
31/05/2012
33/33
