NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if

NTRU

Cong Chen, Oussama Danba, Je˙rey Ho˙stein, Andreas Hülsing, Joost Rijneveld, John M. Schanck,

Peter Schwabe, William Whyte, Zhenfei Zhang

Second round update 2019-08-24

1 / 10

#Saito–Xagawa–Yamakawa (Eurocrypt 2018)I Deterministic encryptionI CCA2 KEM via re-encryption and

implicit rejection

−!

#NTRU

(NIST Round 2)

NTRU-HRSS-KEM (NIST Round 1) I Perfect correctness I Arbitrary-weight trinary vectors I One nice parameter set I Probabilistic encryption I CCA2 KEM via Dent “Table 5” /

Targhi–Unruh

NTRUEncrypt (NIST Round 1) I Imperfect correctness I Fixed-weight trinary vectors I Many nice parameter sets I Probabilistic encryption I CCA2 PKE via NAEP

2 / 10

−!

#NTRU

(NIST Round 2)


Targhi–Unruh

# Saito–Xagawa–Yamakawa (Eurocrypt 2018) I Deterministic encryption I CCA2 KEM via re-encryption and

implicit rejection


2 / 10

#


Targhi–Unruh


implicit rejection


NTRU −! (NIST Round 2)

2 / 10


Targhi–Unruh


implicit rejection


# NTRU −! (NIST Round 2)

2 / 10


Targhi–Unruh


implicit rejection


# NTRU −! (NIST Round 2)

2 / 10

Correct: (Encrypt(m) = c) ) (Decrypt(c) = m)Rigid: (Encrypt(m) = c) ( (Decrypt(c) = m)

Rigidity is often enforced through re-encryption...some schemes can avoid it.

Eliminating re-encryption: rigidity

Bernstein–Persichetti (ePrint 2019/256):

ROM CCA2 KEM � correct rigid deterministic PKE + implicit rejection

3 / 10

Rigid: (Encrypt(m) = c) ( (Decrypt(c) = m)





Correct: (Encrypt(m) = c) ) (Decrypt(c) = m)

3 / 10







3 / 10






Rigidity is often enforced through re-encryption... some schemes can avoid it.

3 / 10

NTRU

I Integer parameters n and q. I Polynomial arithmetic modulo xn − 1 = �1�n.

I Private key: A pair of polynomials (f , g). I Public key: A polynomial h that satisfes

I hf � 3g (mod (q, �1�n)), and I h � 0 (mod (q, �1)).

I Plaintext: A pair of polynomials (r, m), with I m � 0 (mod (q, �1)).

I Ciphertext: c = rh + m mod (q, �1�n). I c � 0 (mod (q, �1)).

4 / 10

NTRU

I Integer parameters n and q. I Polynomial arithmetic modulo xn − 1 = �1�n.

I Private key: A pair of polynomials (f , g). I Public key: A polynomial h that satisfes

I hf � 3g (mod (q, �1�n)), and I h � 0 (mod (q, �1)).

I Plaintext: A pair of polynomials (r, m), with I m � 0 (mod (q, �1)).

I Ciphertext: c = rh + m mod (q, �1�n). I c � 0 (mod (q, �1)).

4 / 10


I Check: (Decrypt(c) = m) ) (Encrypt(m) = c).

Decrypt((f , h), c) Suppose Decrypt((f , h), c) = (r, m). Then, by Line 3, 1: a = (cf) mod (q, �1�n)

2: m = (a/f) mod (3, �n) Encrypt(h, (r, m)) = rh + m mod (q, �1�n) 3: r = ((c−m)/h) mod (q, �n)

� c (mod (q, �n)) 4: if c � 0 (mod (q, �1)) and (r, m) is in the message space then

Lines 4-7 provide rigidity because 5: return (r, m) 6: end if 1. h � 0 mod (q, �1), and 7: return ? 2. valid m satisfy m � 0 mod (q, �1).

5 / 10







5 / 10







5 / 10







5 / 10







5 / 10

Eliminating re-encryption: implicit rejection

I The user stores an additional 256 bit secret, s.

Encaps(h): Decaps((f , h, s), c): 1: Sample r and m. 1: result = Decrypt((f , h), c) 2: return rh + m mod (q, �1�n). 2: if result = ? then

3: return SHA3-256(s | c) 4: else 5: return SHA3-256(result) 6: end if

6 / 10

80

90

100

110

120

130

140

150

160

170

180

190

200

210

1200 1400 1600 1800 2000 2200 2400 2600 2800 3000 3200

ntruhrss701

ntruhps2048509

ntruhps2048677

ntruhps4096821

Hyb

rid a

ttac

k co

st a

ssum

ing

Core

-SVP

pre

proc

essin

g, 0

.292

b m

etric

, log

sca

le

Communication cost (pk + ct bytes)

ntruhps-like with q primentruhps

ntruhrss-like with q prime

Parameter selection process

4pt 0pt

ntruhrss

7 / 10

Recommended parameters

pk bytes ct bytes Core-SVP dim. ntruhps2048509 699 699 364 ntruhps2048677 930 930 496

ntruhrss701 1138 1138 470 ntruhps4096821 1230 1230 612

8 / 10




Key Gen Encaps Decaps ntruhps2048509 171k 38k 49k ntruhps2048677 292k 53k 73k

ntruhrss701 283k 52k 76k ntruhps4096821 - - -

k = 1000 Haswell cycles. one second = 3 100 000k

8 / 10




ntruhps2048509 ntruhps2048677

ntruhrss701 ntruhps4096821

Key Gen

-

Encaps

-

Decaps

-


8 / 10




Key Gen Encaps Decaps ntruhps2048509 167k 25k 49k ntruhps2048677 277k 35k 69k

ntruhrss701 255k 27k 71k ntruhps4096821 - - -


8 / 10

Other avenues to explore:I Use f = 1 + 3F in an ephemeral-only setting.I Choose perfectly correct parameters compatible with f = 1 + 3F.

Neither option is currently recommended.

Faster key generation?

9 / 10

Other avenues to explore:I Use f = 1 + 3F in an ephemeral-only setting.I Choose perfectly correct parameters compatible with f = 1 + 3F.



Optimize! Most expensive component is inversion mod (3, �n): I Original ntruhrss701 software:

150k Haswell cycles I New software from Dan Bernstein and Bo-Yin Yang, ePrint 2019/266:

90k Haswell cycles

9 / 10


Optimize! Most expensive component is inversion mod (3, �n): I Original ntruhrss701 software:

150k Haswell cycles I New software from Dan Bernstein and Bo-Yin Yang, ePrint 2019/266:

90k Haswell cycles

Other avenues to explore: I Use f = 1 + 3F in an ephemeral-only setting. I Choose perfectly correct parameters compatible with f = 1 + 3F.


9 / 10

80

90

100

110

120

130

140

150

160

170

180

190

200

210

1200 1400 1600 1800 2000 2200 2400 2600 2800 3000 3200

ntruhrss701

ntruhps2048509

ntruhps2048677

ntruhps4096821

Hyb

rid a

ttac

k co

st a

ssum

ing

Core

-SVP

pre

proc

essin

g, 0

.292

b m

etric

, log

sca

le

Communication cost (pk + ct bytes)

ntruhps-like with q primentruhps

ntruhps-like with f 1+3F and q primentruhps-like with f 1+3F

ntruhrss-like with q prime

Correct parameters with faster key gen

4pt 0pt

= =

ntruhrss

10 / 10

Documents

NTRU Round 2 Presentation - CSRC · 4: if c 0 (mod (q, c (mod (q, n)) 1)) and (r, m) is in the message space . then. 5: return (r, m) Lines 4-7provide rigiditybecause . 6: end if