NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the...
Transcript of NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the...
![Page 1: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/1.jpg)
NTRU
Cong Chen, Oussama Danba, Je˙rey Ho˙stein, Andreas Hülsing, Joost Rijneveld, John M. Schanck,
Peter Schwabe, William Whyte, Zhenfei Zhang
Second round update 2019-08-24
1 / 10
![Page 2: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/2.jpg)
#Saito–Xagawa–Yamakawa (Eurocrypt 2018)I Deterministic encryptionI CCA2 KEM via re-encryption and
implicit rejection
−!
#NTRU
(NIST Round 2)
NTRU-HRSS-KEM (NIST Round 1) I Perfect correctness I Arbitrary-weight trinary vectors I One nice parameter set I Probabilistic encryption I CCA2 KEM via Dent “Table 5” /
Targhi–Unruh
NTRUEncrypt (NIST Round 1) I Imperfect correctness I Fixed-weight trinary vectors I Many nice parameter sets I Probabilistic encryption I CCA2 PKE via NAEP
2 / 10
![Page 3: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/3.jpg)
−!
#NTRU
(NIST Round 2)
NTRU-HRSS-KEM (NIST Round 1) I Perfect correctness I Arbitrary-weight trinary vectors I One nice parameter set I Probabilistic encryption I CCA2 KEM via Dent “Table 5” /
Targhi–Unruh
# Saito–Xagawa–Yamakawa (Eurocrypt 2018) I Deterministic encryption I CCA2 KEM via re-encryption and
implicit rejection
NTRUEncrypt (NIST Round 1) I Imperfect correctness I Fixed-weight trinary vectors I Many nice parameter sets I Probabilistic encryption I CCA2 PKE via NAEP
2 / 10
![Page 4: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/4.jpg)
#
NTRU-HRSS-KEM (NIST Round 1) I Perfect correctness I Arbitrary-weight trinary vectors I One nice parameter set I Probabilistic encryption I CCA2 KEM via Dent “Table 5” /
Targhi–Unruh
# Saito–Xagawa–Yamakawa (Eurocrypt 2018) I Deterministic encryption I CCA2 KEM via re-encryption and
implicit rejection
NTRUEncrypt (NIST Round 1) I Imperfect correctness I Fixed-weight trinary vectors I Many nice parameter sets I Probabilistic encryption I CCA2 PKE via NAEP
NTRU −! (NIST Round 2)
2 / 10
![Page 5: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/5.jpg)
NTRU-HRSS-KEM (NIST Round 1) I Perfect correctness I Arbitrary-weight trinary vectors I One nice parameter set I Probabilistic encryption I CCA2 KEM via Dent “Table 5” /
Targhi–Unruh
# Saito–Xagawa–Yamakawa (Eurocrypt 2018) I Deterministic encryption I CCA2 KEM via re-encryption and
implicit rejection
NTRUEncrypt (NIST Round 1) I Imperfect correctness I Fixed-weight trinary vectors I Many nice parameter sets I Probabilistic encryption I CCA2 PKE via NAEP
# NTRU −! (NIST Round 2)
2 / 10
![Page 6: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/6.jpg)
NTRU-HRSS-KEM (NIST Round 1) I Perfect correctness I Arbitrary-weight trinary vectors I One nice parameter set I Probabilistic encryption I CCA2 KEM via Dent “Table 5” /
Targhi–Unruh
# Saito–Xagawa–Yamakawa (Eurocrypt 2018) I Deterministic encryption I CCA2 KEM via re-encryption and
implicit rejection
NTRUEncrypt (NIST Round 1) I Imperfect correctness I Fixed-weight trinary vectors I Many nice parameter sets I Probabilistic encryption I CCA2 PKE via NAEP
# NTRU −! (NIST Round 2)
2 / 10
![Page 7: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/7.jpg)
Correct: (Encrypt(m) = c) ) (Decrypt(c) = m)Rigid: (Encrypt(m) = c) ( (Decrypt(c) = m)
Rigidity is often enforced through re-encryption...some schemes can avoid it.
Eliminating re-encryption: rigidity
Bernstein–Persichetti (ePrint 2019/256):
ROM CCA2 KEM � correct rigid deterministic PKE + implicit rejection
3 / 10
![Page 8: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/8.jpg)
Rigid: (Encrypt(m) = c) ( (Decrypt(c) = m)
Rigidity is often enforced through re-encryption...some schemes can avoid it.
Eliminating re-encryption: rigidity
Bernstein–Persichetti (ePrint 2019/256):
ROM CCA2 KEM � correct rigid deterministic PKE + implicit rejection
Correct: (Encrypt(m) = c) ) (Decrypt(c) = m)
3 / 10
![Page 9: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/9.jpg)
Rigidity is often enforced through re-encryption...some schemes can avoid it.
Eliminating re-encryption: rigidity
Bernstein–Persichetti (ePrint 2019/256):
ROM CCA2 KEM � correct rigid deterministic PKE + implicit rejection
Correct: (Encrypt(m) = c) ) (Decrypt(c) = m)
Rigid: (Encrypt(m) = c) ( (Decrypt(c) = m)
3 / 10
![Page 10: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/10.jpg)
Eliminating re-encryption: rigidity
Bernstein–Persichetti (ePrint 2019/256):
ROM CCA2 KEM � correct rigid deterministic PKE + implicit rejection
Correct: (Encrypt(m) = c) ) (Decrypt(c) = m)
Rigid: (Encrypt(m) = c) ( (Decrypt(c) = m)
Rigidity is often enforced through re-encryption... some schemes can avoid it.
3 / 10
![Page 11: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/11.jpg)
NTRU
I Integer parameters n and q. I Polynomial arithmetic modulo xn − 1 = �1�n.
I Private key: A pair of polynomials (f , g). I Public key: A polynomial h that satisfes
I hf � 3g (mod (q, �1�n)), and I h � 0 (mod (q, �1)).
I Plaintext: A pair of polynomials (r, m), with I m � 0 (mod (q, �1)).
I Ciphertext: c = rh + m mod (q, �1�n). I c � 0 (mod (q, �1)).
4 / 10
![Page 12: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/12.jpg)
NTRU
I Integer parameters n and q. I Polynomial arithmetic modulo xn − 1 = �1�n.
I Private key: A pair of polynomials (f , g). I Public key: A polynomial h that satisfes
I hf � 3g (mod (q, �1�n)), and I h � 0 (mod (q, �1)).
I Plaintext: A pair of polynomials (r, m), with I m � 0 (mod (q, �1)).
I Ciphertext: c = rh + m mod (q, �1�n). I c � 0 (mod (q, �1)).
4 / 10
![Page 13: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/13.jpg)
Eliminating re-encryption: rigidity
I Check: (Decrypt(c) = m) ) (Encrypt(m) = c).
Decrypt((f , h), c) Suppose Decrypt((f , h), c) = (r, m). Then, by Line 3, 1: a = (cf) mod (q, �1�n)
2: m = (a/f) mod (3, �n) Encrypt(h, (r, m)) = rh + m mod (q, �1�n) 3: r = ((c−m)/h) mod (q, �n)
� c (mod (q, �n)) 4: if c � 0 (mod (q, �1)) and (r, m) is in the message space then
Lines 4-7 provide rigidity because 5: return (r, m) 6: end if 1. h � 0 mod (q, �1), and 7: return ? 2. valid m satisfy m � 0 mod (q, �1).
5 / 10
![Page 14: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/14.jpg)
Eliminating re-encryption: rigidity
I Check: (Decrypt(c) = m) ) (Encrypt(m) = c).
Decrypt((f , h), c) Suppose Decrypt((f , h), c) = (r, m). Then, by Line 3, 1: a = (cf) mod (q, �1�n)
2: m = (a/f) mod (3, �n) Encrypt(h, (r, m)) = rh + m mod (q, �1�n) 3: r = ((c−m)/h) mod (q, �n)
� c (mod (q, �n)) 4: if c � 0 (mod (q, �1)) and (r, m) is in the message space then
Lines 4-7 provide rigidity because 5: return (r, m) 6: end if 1. h � 0 mod (q, �1), and 7: return ? 2. valid m satisfy m � 0 mod (q, �1).
5 / 10
![Page 15: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/15.jpg)
Eliminating re-encryption: rigidity
I Check: (Decrypt(c) = m) ) (Encrypt(m) = c).
Decrypt((f , h), c) Suppose Decrypt((f , h), c) = (r, m). Then, by Line 3, 1: a = (cf) mod (q, �1�n)
2: m = (a/f) mod (3, �n) Encrypt(h, (r, m)) = rh + m mod (q, �1�n) 3: r = ((c−m)/h) mod (q, �n)
� c (mod (q, �n)) 4: if c � 0 (mod (q, �1)) and (r, m) is in the message space then
Lines 4-7 provide rigidity because 5: return (r, m) 6: end if 1. h � 0 mod (q, �1), and 7: return ? 2. valid m satisfy m � 0 mod (q, �1).
5 / 10
![Page 16: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/16.jpg)
Eliminating re-encryption: rigidity
I Check: (Decrypt(c) = m) ) (Encrypt(m) = c).
Decrypt((f , h), c) Suppose Decrypt((f , h), c) = (r, m). Then, by Line 3, 1: a = (cf) mod (q, �1�n)
2: m = (a/f) mod (3, �n) Encrypt(h, (r, m)) = rh + m mod (q, �1�n) 3: r = ((c−m)/h) mod (q, �n)
� c (mod (q, �n)) 4: if c � 0 (mod (q, �1)) and (r, m) is in the message space then
Lines 4-7 provide rigidity because 5: return (r, m) 6: end if 1. h � 0 mod (q, �1), and 7: return ? 2. valid m satisfy m � 0 mod (q, �1).
5 / 10
![Page 17: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/17.jpg)
Eliminating re-encryption: rigidity
I Check: (Decrypt(c) = m) ) (Encrypt(m) = c).
Decrypt((f , h), c) Suppose Decrypt((f , h), c) = (r, m). Then, by Line 3, 1: a = (cf) mod (q, �1�n)
2: m = (a/f) mod (3, �n) Encrypt(h, (r, m)) = rh + m mod (q, �1�n) 3: r = ((c−m)/h) mod (q, �n)
� c (mod (q, �n)) 4: if c � 0 (mod (q, �1)) and (r, m) is in the message space then
Lines 4-7 provide rigidity because 5: return (r, m) 6: end if 1. h � 0 mod (q, �1), and 7: return ? 2. valid m satisfy m � 0 mod (q, �1).
5 / 10
![Page 18: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/18.jpg)
Eliminating re-encryption: implicit rejection
I The user stores an additional 256 bit secret, s.
Encaps(h): Decaps((f , h, s), c): 1: Sample r and m. 1: result = Decrypt((f , h), c) 2: return rh + m mod (q, �1�n). 2: if result = ? then
3: return SHA3-256(s | c) 4: else 5: return SHA3-256(result) 6: end if
6 / 10
![Page 19: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/19.jpg)
80
90
100
110
120
130
140
150
160
170
180
190
200
210
1200 1400 1600 1800 2000 2200 2400 2600 2800 3000 3200
ntruhrss701
ntruhps2048509
ntruhps2048677
ntruhps4096821
Hyb
rid a
ttac
k co
st a
ssum
ing
Core
-SVP
pre
proc
essin
g, 0
.292
b m
etric
, log
sca
le
Communication cost (pk + ct bytes)
ntruhps-like with q primentruhps
ntruhrss-like with q prime
Parameter selection process
4pt 0pt
ntruhrss
7 / 10
![Page 20: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/20.jpg)
Recommended parameters
pk bytes ct bytes Core-SVP dim. ntruhps2048509 699 699 364 ntruhps2048677 930 930 496
ntruhrss701 1138 1138 470 ntruhps4096821 1230 1230 612
8 / 10
![Page 21: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/21.jpg)
Recommended parameters
pk bytes ct bytes Core-SVP dim. ntruhps2048509 699 699 364 ntruhps2048677 930 930 496
ntruhrss701 1138 1138 470 ntruhps4096821 1230 1230 612
Key Gen Encaps Decaps ntruhps2048509 171k 38k 49k ntruhps2048677 292k 53k 73k
ntruhrss701 283k 52k 76k ntruhps4096821 - - -
k = 1000 Haswell cycles. one second = 3 100 000k
8 / 10
![Page 22: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/22.jpg)
Recommended parameters
pk bytes ct bytes Core-SVP dim. ntruhps2048509 699 699 364 ntruhps2048677 930 930 496
ntruhrss701 1138 1138 470 ntruhps4096821 1230 1230 612
ntruhps2048509 ntruhps2048677
ntruhrss701 ntruhps4096821
Key Gen
-
Encaps
-
Decaps
-
k = 1000 Haswell cycles. one second = 3 100 000k
8 / 10
![Page 23: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/23.jpg)
Recommended parameters
pk bytes ct bytes Core-SVP dim. ntruhps2048509 699 699 364 ntruhps2048677 930 930 496
ntruhrss701 1138 1138 470 ntruhps4096821 1230 1230 612
Key Gen Encaps Decaps ntruhps2048509 167k 25k 49k ntruhps2048677 277k 35k 69k
ntruhrss701 255k 27k 71k ntruhps4096821 - - -
k = 1000 Haswell cycles. one second = 3 100 000k
8 / 10
![Page 24: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/24.jpg)
Other avenues to explore:I Use f = 1 + 3F in an ephemeral-only setting.I Choose perfectly correct parameters compatible with f = 1 + 3F.
Neither option is currently recommended.
Faster key generation?
9 / 10
![Page 25: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/25.jpg)
Other avenues to explore:I Use f = 1 + 3F in an ephemeral-only setting.I Choose perfectly correct parameters compatible with f = 1 + 3F.
Neither option is currently recommended.
Faster key generation?
Optimize! Most expensive component is inversion mod (3, �n): I Original ntruhrss701 software:
150k Haswell cycles I New software from Dan Bernstein and Bo-Yin Yang, ePrint 2019/266:
90k Haswell cycles
9 / 10
![Page 26: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/26.jpg)
Faster key generation?
Optimize! Most expensive component is inversion mod (3, �n): I Original ntruhrss701 software:
150k Haswell cycles I New software from Dan Bernstein and Bo-Yin Yang, ePrint 2019/266:
90k Haswell cycles
Other avenues to explore: I Use f = 1 + 3F in an ephemeral-only setting. I Choose perfectly correct parameters compatible with f = 1 + 3F.
Neither option is currently recommended.
9 / 10
![Page 27: NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if.](https://reader034.fdocuments.us/reader034/viewer/2022050514/5f9dfccf420efe23a24437c9/html5/thumbnails/27.jpg)
80
90
100
110
120
130
140
150
160
170
180
190
200
210
1200 1400 1600 1800 2000 2200 2400 2600 2800 3000 3200
ntruhrss701
ntruhps2048509
ntruhps2048677
ntruhps4096821
Hyb
rid a
ttac
k co
st a
ssum
ing
Core
-SVP
pre
proc
essin
g, 0
.292
b m
etric
, log
sca
le
Communication cost (pk + ct bytes)
ntruhps-like with q primentruhps
ntruhps-like with f 1+3F and q primentruhps-like with f 1+3F
ntruhrss-like with q prime
Correct parameters with faster key gen
4pt 0pt
= =
ntruhrss
10 / 10