STRONG security that fits everywhere. P D5 Overview William Whyte NTRU Cryptosystems December 2005

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Agenda  Document walkthrough  Timetable

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure 1.Overview 2.References 3.Definitions 4.Types of Crytographic Technique 5.Mathematical Conventions

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure (2) 6.The SV Family  Algorithm specification conventions 7.Data types and conversions 8.Mathematical Foundation  Ring operations; fast multiplication techniques; inversion 9.Supporting Algorithms

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure (3) 10.Encryption Scheme  Components  Primitives  Encoding Methods  Scheme Overview  Scheme Operations 11.Signature Scheme  Components  Primitives  Encoding Methods  Scheme Overview  Scheme Operations 12.Security Considerations 13.Bibliography

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Document Structure: Annexes  Editorial: Annexes listed in ToC by accident and will be removed.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Conversion Primitives  Integer to/from octet string, bit string  Ring element to/from octet string, bit string  Binary ring element to/from octet string, bit string  Octet string to/from bit string –BS2OSP in other standards pads on the left (designed for bit strings < 1 byte or integers). X9.98 converts to “right-padded octet string”.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Review: NTRU parameters  N, dimension of polynomial ring –NTRU works on polynomials of degree N-1 –Polynomial multiplication is convolution multiplication: terms of degree > N are reduced mod N. –Increases roughly linearly with k for k-bit security  For 80-bit security, N = 251.  q, “big” modulus –All coefficients in polynomial are reduced mod q –For 80-bit security, q = 197.  Increases roughly linearly with k for k-bit security  p, “small” modulus (Used only in NTRUEncrypt) –Reduce mod p during decryption –p = 2 for all security levels.  Sizes: –Public key, ciphertext size = N  log 2 q  –message size (bits) = N  log 2 ||p||  

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Review: NTRUEncrypt Operations  Key Generation –Generate f, g, “small” polynomials in Z q [X]/(X N -1). –Public key h = p*f -1 *g mod q; private key = (f, f p = f -1 mod p).  Encrypt (Raw operation) –Encode message as “small” polynomial m. –Generate “small” random polynomial r –Ciphertext e = r*h + m mod q.  Decrypt (Raw operation) –Set a = f*e mod q.  “mod q” = in range [A, A+q-1]. –Set m = f p * a mod p.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Review: Why Decryption Works  a= f * e(mod q) = f * (r*h + m)(mod q) = f * (r*p*g*F q + m)(mod q) = p*r*g + f*m(mod q) since f*F q = 1 (mod q)  All of the polynomials r, g, f, m are small, so coefficients of p*r*g + f*m will all lie within q of each other.  If its coefficients are reduced into the right range, the polynomial a(x) is exactly equal to p*r*g + f*m. Then f p * a = p*r*g*f p (mod p) + f p *f*m (mod p) = m (mod p).  For speed, we take f = 1+pF; then f -1 mod p = 1.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 HashXOR r*h + m’ e Hash r Review: SVES-3 encryption mb m’ r*h mLen00… ID

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Parameter sets  N, q, p  Form of f, g  How to produce M: Length of b, means of encoding message length  How to produce r: ID, PRBG algorithm, means of converting output to polynomial (Blinding Value Generation Method)  How to produce m’: PRBG algorithm, minimum Hamming weight of m’  How to decrypt: lower bound on the mod q range, called A (always 0 in this standard)

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Subcategorization  Parameters – fixed inputs  Primitives – raw keygen, encrypt, decrypt –Included by analogy with 1363; since there is only one scheme in the document, should the primitives just be combined into the schemes?  Encoding methods – BVGM  Supporting algorithms – Hash, PRNG, MGF –Are these two categories logically distinct?

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Different parameter sets  F, r are binary polynomials, or “product-form” (p1*p2 + p3), with p1, p2, p3 binary –One set of each type at each security level –Product-form polynomial multiplications are faster: if p is product- form, p*a can be calculated as p1*(p2*a) + p3*a.  Parameter sets give number of 1s in each component polynomial – dF and dr or df1, df2, df3, dr1, dr2, dr3 –Fixed, optimal number of 1s: more would make operations slower, fewer would be insecure.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Key Pair Validation  Key pair: check F (or f1, f2, f3) and g = fh/p have right form according to parameter set.  Public key plausibility test: check that a significant amount of reduction mod q is likely to occur in calculating r*h.  No full public key validation.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 NTRUSign  Lattice-based signature scheme  Pick two short polynomials (f, g) in ring R = Z[X]/(X N -1)  Find (F, G) s. t. f*G – g*F = q, q an integer (power of 2)  Then is an R-module / lattice with det q and a basis vectors of length N 1/2, N: private key  And, h = g/f mod q, is an R-module / lattice with a basis of vectors of length N 3/2 : public key  Signing: message is point, solve CVP for this point using good basis.  Verification: check signature is in lattice (using bad basis) and close to message point.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005  Use full basis B =, inverse B -1 =  message (0, m) –more efficient than (m 1, m 2 ), no security risk  Sign with a single public basis: (s, t) = B * Round (B -1 * (0, m))  Transmit s.  Verifying: –calculate t = s*h mod q. –make sure ||s||, ||m-t|| are small ( < N ) hash Signing & Verification

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Supporting Techniques  Message Representative Generation  1 – Hash message into [0, q-1]^N  2 – Form message representative as product of small polynomials –Has efficiency advantages, but only in case with no perturbations  parameter sets only use method 1.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Security Considerations!  Lattice  All other

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Check Lattice Strength  We characterize the lattice by two variables: –c =  (2N).  (2)||f||/ . = 2||f||  (  e / q)  Length of shortest vector [  (2)||f|| ]…  Divided by expected length of shortest vector for lattice of the same determinant [ =  (N q/  e) ]…  Scaled by  (2N). –a = N/q.  Experimentally, breaking time is very sensitive to c, somewhat sensitive to a.  Experimentally, for fixed c, a, breaking time is exponential in N.  For all the parameter sets given in the previous slide, we have a >= 1.25, c >= 2.58.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Lattice Strength  The lower a and c, the faster reduction algorithms run.  Run experiments at a and c much lower than those obtained for our parameter sets. –a = 0.535, c = 1.73; –Breaking time goes as N MIPS-years.  N = 251 ==> 1.37*10 13 MIPS-years, taking “zero-forcing” into account. –80-bit security: ~10 12 MIPS-years  Trend is concave upwards, and actual NTRU lattice is stronger than this: estimate is quite conservative.  Paper available on X9 website

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005  F, g, r have df, dg, dr 1s respectively  Brute force-like search on F, g, r can be speeded up by meet-in-the- middle techniques.  Using these techniques, number of binary convolution multiplications needed to break f is –Each multiplication requires df.N additions  … perhaps divided by 2-8 if we use wordsize cleverly  In general, use number of multiplications as security measure  Attacker will go for easiest of (f, g), (r, m); pick df = dr.  Take g = N/2: larger = greater security Binary F, g, r: Combinatorial Security

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Pick q, p  Our choice: –Pick p = 2, q to be the first prime greater than p.min(dr, dg) p.min(df, N/2) with large order mod N.  This gives zero chance of decryption failures  Minimum q to do so consistent with choice of p, df. –Best lattice security

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Other considerations  Keys (and random component b) must be generated with sufficient entropy –Added section B.3.1 stating that RNG should be seeded with k+64 bits  R*h must result in a reasonable amount of reduction mod q –Otherwise an attacker can recover r by linear algebra  N must be prime; if it is divisible by l, can form lattice of dimension 2N/l.  E(1) = r(1)h(1) +m’(1), and r(1) and h(1) are known; therefore, the ciphertext leaks m’(1) –Require m’ to be blinded.  q must have large order mod N: similar attack to above might otherwise leak value of m’(X) in larger fields. The chance of this happening is q order(q mod N).

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Other considerations (2)  p and q must be relatively prime  Need to prevent adaptive chosen ciphertext attacks with appropriate scheme –For k-bit security, length of random component b = k bits –Consistent with standard security proofs.  If q is too small relative to f, r, g, m, decryption failures can occur –This will not happen for any of the given parameter sets  ID is included to ensure that sender and receiver are using same parameter set  The blinding value r is generated as a series of indices < N –Mechanisms in standard guarantee that these are uniformly distributed.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Security Levels: Encryption  Provided parameter sets for each security level k={80, 112, 128, 160, 192, 256}. –Do we need 160?  2 parameter sets at each level –“Binary”: lower bandwidth, less RAM –“Product-form”: faster  Standard table of strengths –Note that SHA-160 is suitable as core of RNG up to 128-bit security; 80-bit limit in table is for direct use as a hash function –Captured in text, not in table.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Binary Parameter Sets Parameter setkNddm 0 qO(q)c (F, g)c (r, m)T(L)rT zf (L)addssize (bits) ees251ep ees347ep ees397ep ees491ep ees587ep ees787ep

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Product-form Parameter Sets Parameter setkNddm 0 qO(q)c (F, g)c (r, m)T(L)rT zf (L)addssize (bits) ees251ep ees347ep ees397ep ees491ep ees587ep ees787ep

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Signing Security Considerations  To be filled in.  Four main attacks –Brute force search on keyspace (square-rooted by combinatorial methods) –Lattice reduction attack on public key to recover private key (SVP) –Brute force search on possible signature space to find signature (also square-rootable) –Lattice reduction attack on public key and message to generate signature (CVP)

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Improved Lattice Security Allows Smaller N than for NTRUEncrypt  In standard lattice ((f g) (F G)), (f g) is short vector of length O(√N).  In transpose lattice, (f F) is short vector of length O(N). –Improved c by factor of √N?  Attacker can “balance” lattice so f & F are of same length, but changes determinant –Improves c transpose by factor of N 1/4 compared to c standard.  Increase N, hold d/N constant  –combinatorial security increases exponentially –lattice security increases superexponentially  Note: LHS of signature is smaller than RHS; balance with balancing factor β.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 CVP  Difficulty of solving signature by lattice reduction linked to constant γ. –γ = N /(σ * √(2N)).  Norm bound …  Divided by expected length of shortest vector…  Scaled by 1/(√2N).  In this case, smaller γ = required to solve CVP “better” = harder lattice problem

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Signature Parameter Generation  Want to pick (N, d, q, beta, NB) s. t. –strength against all attacks is greater than k bits –performance is optimized  smallest public keys/bandwith  fastest operations  Paper presents iterative process: –Loop through N, d, q –Calculate expected size of signature –Set NB = ρ * size of signature (ρ typically 1.1 – 1.25 – affects chance of having to re-sign, essentially negligible for specified parameter sets) –Check strength against specified attacks –Store all acceptable parameter sets: output one with best performance using chosen metric.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Transcript Analysis  If message was random within ball of radius NormBound, transcript could not leak information  Transcript is s = d * f + D * F –d, D are {-1/2, 1/2} N –d, D slightly constrained: s must have integer coefficients.  Leaks information about geometry of lattice

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Signing with Perturbations  Message is (0, m); public basis is B 0 ; b private bases B 1 … B b. –Set (s b+1, t b+1 ) = (0, m).  For each private basis i in turn, i = b, b-1, … 1: –Input point is (s b+1, t b+1 ) –(s i, t i ) = result of solving appr-CVP in basis B i on point (s i+1, t i+1 ).  Signature is appr-CVP on (s 1, t 1 ) in B 0.  Can implement this such that each private basis operation requires: –2 multiplies by (f i, F i ) (or (f i, g i ) in transpose lattice) –One multiply by h i.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005  s = d * f + D * F –d, D are {-1/2, 1/2} N  First moment: s averages to 0 –Subtranscripts don’t appear to help.  Second moment: Can find quantities that behave like norms (don’t average to 0) –Define p rev (X) = p(X -1 ) for any polynomial p  if p = [f 0, f 1, f 2, …], then p rev = [f 0, f N-1, f N-2, …] –Constant coordinate of p * p rev = p ¢ p = squared norm of p  0  Other coordinates are p dotted with its rotations –s * s rev will average to non-zero result.  Notation: –denote average of x by Transcript Analysis

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 (f 1,g 1 ) (F 1,G 1 ) NTRUSign with Perturbations (F,G) (f,g) (s, t-m) -- without perturbations (s, t-m) -- with perturbations (F,G) (f,g)

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Security Claim for Perturbations  Number of signatures required to recover private key = number required to converge on 6 th moment –= O(2 9 d 6 ) –Highly conservative  Could be that 8 th moment is actually required  Big-O constant is considerably more than 1.  In paper, take a single perturbation at each security level –Required transcript is > 10 9.

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Improved Parameter Sets  k: security level; d: f consists of d+1 +1s, d -1s, and (N-2d-1) 0s; \beta: signature normalization factor; Norm: how close you have to be for a signature to pass  \tau: attacker requires >> 2 \tau signatures to recover private key. kNdq\betaNorm\tau

STRONG security that fits everywhere. NTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2005 Timetable  End of December: Complete Editorial Review and NTRUSign Security Considerations  January: Present to working group and request written comments  March: First WG vote, hopefully with comments resolved.  May?: Go into Sponsor Ballot