Presentation is loading. Please wait.

Presentation is loading. Please wait.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,

Published bySolomon Newton Modified over 8 years ago

Similar presentations

Presentation on theme: "STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,"— Presentation transcript:

1 STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joe Silverman, William Whyte

2 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 2 NTRUSign Summary  Lattice-based signature scheme  Pick two short polynomials (f, g) in ring R = Z[X]/(X N -1)  Find (F, G) s. t. f*G – g*F = q, q an integer (power of 2)  Then is an R-module / lattice with det q and a basis vectors of length N 1/2, N: private key  And, h = g/f mod q, is an R-module / lattice with a basis of vectors of length N 3/2 : public key  Signing: message is point, solve CVP for this point using good basis.  Verification: check signature is in lattice (using bad basis) and close to message point.

3 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 3 (f,g) (F,G) 4.6 (f,g) 1.3 (F,G) 5 (f,g) + 1 (F,G) Good basis for lattice: ((f,g), (F,G)) = ((7,1), (2,18)) m = (35,25) (s,t) = (37,23) ||m - (s,t)|| =  8 ~ 2.8 Close Vector Problem in 2d

4 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 4 (f,g) (F,G) 5 (f,g) + 1 (F,G) (0,q) (1,h) -20 (0,q) + 35 (1,h) 5 (f,g) + 1 (F,G) Bad basis for lattice: ((1,h), (0,q)) = ((1,71), (0,124)) m = (35,25) (s’,t’) = (35,5) t’ = s’*h mod q ||m - (s’,t’)|| = 20 (good basis: ~2.8) Close Vector Problem

5 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 5 (f,g) (F,G) 5 (f,g) + 1 (F,G) (0,q) (1,h) -20 (0,q) + 35 (1,h) 5 (f,g) + 1 (F,G) Finding a complete good basis will let us solve CVP well The good half-basis (f,g) isn’t good enough on its own Need to find another half that’s considerably better than (1,h) or (0,q). (f,g) and (1,h) or (0,q) don’t even generate the whole lattice! Close Vector Problem

6 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 6 NTRU Lattice/Module  Homomorphism between two rings: –Polynomials with integer coefficients under convolution multiplication a(X) = a 0 + a 1 X + a 2 X 2 + … + a N-1 X N-1 –NxN circulant matrices over the integers  NTRU works on objects in these rings  NTRU “lattice” (really a module) is a 2x2 matrix of these objects

7 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 7  System parameterized by (public) N, q. –Polynomials of degree N-1 –q an integer (typically 128)  h = g/f mod q. h a public polynomial (the public key)  All vectors in the lattice have the form (u,v), v = u * h mod q.  f, g small lattice vector –Given just (f,g) know small vector, but not entire basis NTRU Lattice

8 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 8 NTRU Problem in 1 dimension  h = 71, q = 124  Find (f, g) such that –f*h = g (easy!) AND –f, g are both small (hard!)

9 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 9 (f,g) (F,G) 5 (f,g) + 1 (F,G) (0,q) (1,h) -20 (0,q) + 35 (1,h) 5 (f,g) + 1 (F,G) ((f,g), (F,G)) = ((7,1), (2,18)) ((1,h), (0,q)) = ((1,71), (0,124)) Note: t = s*h mod q = 37 * 71 mod 124 = 2627 mod 124 = 23 g = f*h, G = F*h NTRU Lattice with N = 1

10 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 10 Getting a Good Basis  The good half-basis (f,g) isn’t good enough on its own  Need to find another half that’s considerably better than (1,h) or (0,q). –(f,g) and (1,h) or (0,q) don’t even generate the whole lattice!

11 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 11 Keygen (1): Unimodular Matrix  Want to find a,b s.t. …i.e. fb – ag = 1 mod X N -1  Solve using resultants: –  f f +  f (X N -1) = R f = –  g g +  g (X N -1) = R g –R f, R g  Z, so can solve u R f + v R g = 1 –u  f f + v  g g = 1 mod X N -1  Can work modulo a set of small primes and use CRT to recombine

12 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 12 Keygen (2): Producing the NTRU Lattice

13 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 13 k. (-f,-g) (F,G) Keygen (3): Making F, G smaller  Minimize projection of (F,G) onto (f,g) subspace –effectively solving CVP for (F,G) against (f,g)  F = [-½, ½] N *f; G = [-½, ½] N *g  ||f,g|| ~ √N; ||F,G|| ~ √(N/12)*||f,g|| ~ N/√12 (f,g) (qa,qb) (f,g) (qa,qb)

14 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 14 Keygen (4): Transposing  Transpose lattice –These have same determinant: –Using the transpose ((f F) (g G)) can improve efficiency  Signing can be accomplished using only the first column –Also improves security

15 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 15  Use full basis B =, inverse B -1 =  message (0, m) –more efficient than (m 1, m 2 ), no security risk  Sign with a single public basis: (s, t) = B * Round (B -1 * (0, m))  Transmit s.  Verifying: –calculate t = s*h mod q. –make sure ||s||, ||m-t|| are small ( < N ) hash Signing & Verification

16 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 16 Security Considerations  Four main attacks –Brute force search on keyspace (square-rooted by combinatorial methods) –Lattice reduction attack on public key to recover private key (SVP) –Brute force search on possible signature space to find signature (also square-rootable) –Lattice reduction attack on public key and message to generate signature (CVP)

17 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 17 Brute Force Search  On key: search all possible fs and check if F = f*h is relatively small. –Roughly square-rootable using meet-in-the-middle techniques –f and g are d+1 +1s, d -1s: search time is ~ (N choose d+1)/√N.  On signature: search through (m + Δ) and check if s = (m + Δ)/h is small enough. –Can calculate chances that this will be the case –Also apparently square-rootable using meet-in-the-middle techniques  Could also pick only some coefficients of (m + Δ) and find the rest by lattice reduction –This always turns out to be slower

18 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 18 SVP  We characterize the lattice by two variables: –c =  (2N).  (2) ||f,F|| / σ. = 2||f,F||  (  e / q)  Length of shortest vector [  ||f,F|| ]…  Divided by expected length of shortest vector for lattice of the same determinant [ =  (N q/  e) ]…  Scaled by  (2N).  Related to orthogonality defect –a = N/q.  Experimentally, breaking time is very sensitive to c, somewhat sensitive to a.  Experimentally, for fixed c, a, breaking time is exponential in N.  Larger c = longer breaking time

19 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 19 Lattice Security for different c

20 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 20 Transpose Lattice  In standard lattice ((f g) (F G)), (f g) is short vector of length O(√N).  In transpose lattice, (f F) is short vector of length O(N). –Improved c by factor of √N?  Attacker can “balance” lattice so f & F are of same length, but changes determinant –Improves c transpose by factor of N 1/4 compared to c standard.  Increase N, hold d/N constant  –combinatorial security increases exponentially –lattice security increases superexponentially  Note: LHS of signature is smaller than RHS; balance with balancing factor β.

21 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 21 CVP  Difficulty of solving signature by lattice reduction linked to constant γ. –γ = N /(σ * √(2N)).  Norm bound …  Divided by expected length of shortest vector…  Scaled by 1/(√2N).  In this case, smaller γ = required to solve CVP “better” = harder lattice problem

22 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 22 Signature Parameter Generation  Want to pick (N, d, q, beta, NB) s. t. –strength against all attacks is greater than k bits –performance is optimized  smallest public keys/bandwith  fastest operations  Paper presents iterative process: –Loop through N, d, q –Calculate expected size of signature –Set NB = ρ * size of signature (ρ typically 1.1 – 1.25 – affects chance of having to re-sign, essentially negligible for specified parameter sets) –Check strength against specified attacks –Store all acceptable parameter sets: output one with best performance using chosen metric.

23 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 23 Transcript Analysis  If message was random within ball of radius NormBound, transcript could not leak information  Transcript is s = d * f + D * F –d, D are {-1/2, 1/2} N –d, D slightly constrained: s must have integer coefficients.  Leaks information about geometry of lattice

24 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 24 Signing with Perturbations  Message is (0, m); public basis is B 0 ; b private bases B 1 … B b. –Set (s b+1, t b+1 ) = (0, m).  For each private basis i in turn, i = b, b-1, … 1: –Input point is (s b+1, t b+1 ) –(s i, t i ) = result of solving appr-CVP in basis B i on point (s i+1, t i+1 ).  Signature is appr-CVP on (s 1, t 1 ) in B 0.  Can implement this such that each private basis operation requires: –2 multiplies by (f i, F i ) (or (f i, g i ) in transpose lattice) –One multiply by h i.

25 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 25 Second moment analysis  + cross terms –Cross terms are not independent, but they vanish – -- known quantity –Similar result for, g, G.  Lets us recover the Gram Matrix M of the good basis B:  This can be obtained exactly after ~10,000 signatures  Requires the attacker to solve a 2N dimensional lattice problem –Orthogonal basis conjectured to be easier; open research problem

26 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 26 Fourth Moment Analysis  Now look at result of averaging  This converges to expression of the form –b, c, both known.  Attacker can use second moment analysis result and get –Attack due to Gentry and Szydlo then recovers f in time O(N 7 ).  If it is easy, given (real-valued) to get –then attacker needs more than 10 8 signatures to recover f  Otherwise –attacker needs more than 10 14 signatures to recover f.

27 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 27  s = d * f + D * F –d, D are {-1/2, 1/2} N  First moment: s averages to 0 –Subtranscripts don’t appear to help.  Second moment: Can find quantities that behave like norms (don’t average to 0) –Define p rev (X) = p(X -1 ) for any polynomial p  if p = [f 0, f 1, f 2, …], then p rev = [f 0, f N-1, f N-2, …] –Constant coordinate of p * p rev = p ¢ p = squared norm of p  0  Other coordinates are p dotted with its rotations –s * s rev will average to non-zero result.  Notation: –denote average of x by Transcript Analysis

28 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 28 (f 1,g 1 ) (F 1,G 1 ) NTRUSign with Perturbations (F,G) (f,g) (s, t-m) -- without perturbations (s, t-m) -- with perturbations (F,G) (f,g)

29 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 29 Perturbation Considerations  Expected size of perturbed signature: size of unperturbed signature *  (b+1)  Standard parameters are N = 251, q = 128, b = 1: –Expected size = 293; NormBound = 310 –Signatures exceed NormBound about one time in 500.  Solution: instead of obtaining m as H(M), obtain m as H(M||r) –Pick r randomly (need only be 1 byte) –If signature fails, try again with different r.

30 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 30 Preventing Second-Moment Analysis  Keep secret vectors (v, w), (V, W) with private key  Instead of solving CVP for (0, m), solve it for – s are obtained by solving CVP in another lattice –for appropriate, (s, t) will still sign (0, m).  Now –  Require 8 th moment to recover f directly, 6 th for Gram matrix –expect necessary transcript to be greater than 4 th moment by factor of 10 14 or more  More efficient techniques may be possible

31 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 31 (f 1,g 1 ) (F 1,G 1 ) Verify: Check this is short 4 (f,g) + 2 (F,G) 6 (f 1,g 1 ) -1 (F 1,G 1 ) (F,G) (f,g) NTRUSign with Perturbations

32 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 32 Security Claim for Perturbations  Number of signatures required to recover private key = number required to converge on 6 th moment –= O(2 9 d 6 ) –Highly conservative  Could be that 8 th moment is actually required  Big-O constant is considerably more than 1.  In paper, take a single perturbation at each security level –Required transcript is > 10 9.

33 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 33 Improved Parameter Sets  Up now at http://www.ntru.com...http://www.ntru.com  k: security level; d: f consists of d+1 +1s, d -1s, and (N-2d-1) 0s; \beta: signature normalization factor; Norm: how close you have to be for a signature to pass  \tau: attacker requires >> 2 \tau signatures to recover private key.  Have at them! kNdq\betaNorm\tau 80 157 29 256 0.384150.0231.9 112 197 28 256 0.514206.9132.2 128 223 32 256 0.655 277.5231.2 160 263 45 512 0.315 276.5334.9 192 313 50 512 0.406 384.4135.6 256 349 75 512 0.185 368.6238.9

34 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 34 Performance kN NTRU keysize ECC keysize RSA keysize Signing speed v ECC Verify speed v ECC 80157125619210241.845.31 112197157622420482.055.12 128223178425630722.606.51 192313281738476804.2011.15 2563493141512153604.8215.28

35 STRONG security that fits everywhere. PROPRIETARYNTRU CRYPTOSYSTEMS, INC. COPYRIGHT © 2003 35 Next Steps  WG voted in 2004 to include NTRUSign in 1363.1  Transpose lattice, perturbations already described at that point  Only action arising from this presentation is to update security considerations section –Include suggested parameter sets.

Download ppt "STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL NTRUSIGN TECHNICAL OVERVIEW NTRUSign: Digital Signatures in the NTRU Lattice Jeff Hoffstein,"

Similar presentations

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.

STRONG security that fits everywhere. PROPRIETARY AND CONFIDENTIAL Analysis of NTRUEncrypt Paddings.
5.4 Basis And Dimension.

5.4 Basis And Dimension.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Lecture 8: Lattices and Elliptic Curves

Lecture 8: Lattices and Elliptic Curves
NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)

NSS Cryptanalysis II The Return of The Keys Michael Szydlo RSA Laboratories Join work with Jakob Jonsson(RSA) Jaques Stern (ENS) Craig Gentry(DoCoMo)
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.

PROPRIETARY AND CONFIDENTIAL Variation in Breaking Times for NTRU and Other Cryptosystems William Whyte, Joseph H. Silverman, NTRU Cryptosystems, March.
Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r 175753411947 p q p q p q p and q prime.

Public Key Cryptosystems - RSA Receiver Sender Eavesdroppe r p q p q p q p and q prime.
Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)

Computer Science CSC 405By Dr. Peng Ning1 CSC 405 Introduction to Computer Security Topic 2. Basic Cryptography (Part II)
 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.

 Stream ciphers o Encrypt chars/bits one at a time o Assume XOR w the key, need long key to be secure  Keystream generators (pseudo-random key) o Synchronous.
Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.

Abdullah Sheneamer CS591-F2010 Project of semester Presentation University of Colorado, Colorado Springs Dr. Edward RSA Problem and Inside PK Cryptography.
CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.

CNS2010handout 8 :: introduction to number theory1 computer and network security matt barrie.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.

Chapter 4  Hash Functions 1 Overview  Cryptographic hash functions are functions that: o Map an arbitrary-length (but finite) input to a fixed-size output.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.

Dr. Lo’ai Tawalbeh Fall 2005 Chapter 10 – Key Management; Other Public Key Cryptosystems Dr. Lo’ai Tawalbeh Computer Engineering Department Jordan University.
Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.

Cryptography1 CPSC 3730 Cryptography Chapter 9 Public Key Cryptography and RSA.
Linear and generalised linear models

Linear and generalised linear models

Similar presentations

Ads by Google