ntru cryptography: a tutorial · 5/23/2006 [email protected] 1 ntru cryptography: a tutorial wei...
TRANSCRIPT
5/23/2006 [email protected] 1
Ntru Cryptography: A Tutorial
Wei Ren, Ph.DDepartment of Electrical and Computer EngineeringUniversity of Nevada, Las Vegas
Email: [email protected] 23, 2006
http://www.cs.unlv.edu/~renw/ntru-tutorial-slides.pdf
[email protected] 25/23/2006
AgendaAlgebra Tutorial
Modular ArithmeticTruncated Polynomial RingsInverse in Truncated Polynomial Rings
The NTRU Public Key CryptosystemNTRU PKCS ParametersKey GenerationEncryptionDecryptionWhy It Works
Advanced Topics (Optimizations)Implementation Details
[email protected] 35/23/2006
Presentation OutlineAlgebra Tutorial
Modular ArithmeticTruncated Polynomial RingsInverse in Truncated Polynomial Rings
The NTRU Public Key CryptosystemNTRU PKCS ParametersKey GenerationEncryptionDecryptionWhy It Works
Advanced Topics (Optimizations)Implementation Details
[email protected] 45/23/2006
Modular Arithmetic
Division with modulo and keep the remaindere.g. 147 (modulo 17) =?
147=8*17+11 that is 147=11 (modulo 17)In general, the congruence a=b (modulo m) means that a and b leave the same remainder when they are divided by m.(a modulo m) + (b modulo m)=(a+b modulo m)(a modulo m) * (b modulo m)=(a*b modulo m)If a*b=1 (modulo m), b is an inverse for a (modulo m)e.g. inverse of 10 (modulo 23) is 7, why?
7*10=1(modulo 23)Euclidean Algorithm can be used to check if a and m have common factors and compute the inverse of a (modulo m) if they do not have common factors
[email protected] 55/23/2006
Truncated Polynomial RingsDegree N-1 RingE.g. a =a0+a1X+a2X2+a3X3+…+aN-2XN-2+aN-1XN-1
a+b=(a0+b0)+(a1+b1)X+…(aN-1+bN-1)XN-1
XN=1 (mod XN -1)a*b=c0+c1X+c2X2+…+cN-2XN-2+cN-1XN-1
ck=a0bk+a1bk-1+…+akb0+ak+1bN-1+ak+2bN-2+…aN-1bk+1
a*(b+c)=a*b+a*cCall it Ring of Truncated Polynomials. In terms of modern abstract algebra, R is isomorphic to the quotient ring Z[X]/(XN-1)
∑∑∑≡+
−
+=
−+
=
− =+=)(mod
1
10 Nkji
ji
N
ki
ikNi
k
i
ikik bababac
[email protected] 65/23/2006
Truncated Polynomial R with the modular arithmetic
Polynomial a modulo an integer qa (modulo q)Means to reduce the coefficients of a modulo q
a=b (modulo q)Means every coefficients of the difference a-b is a multiple of q
a =a0+a1X+a2X2+a3X3+…+aN-2XN-2+aN-1XN-1
is conveniently written as the list of N numbersa=(a0, a1, a2, …..,,aN-2, aN-1)
e.g. when N=7, polynomial a = 3+2X2-3X4+X6 is stored as the list (3,0,2,0,-3,0,1)
[email protected] 75/23/2006
Inverses in Truncated Polynomial R
Inverse modulo q of a polynomial a modulo is a polynomial A withthe property that
a*A=1 (modulo q)Not every polynomial has an inverse modulo q, but it is easy to determine if a has an inverse and to compute the inverse if it exists
e.g. N=7, q=11, a = 3+2X2-3X4+X6, the inverse of a modulo 11 is A=-2+4X+2X2+4X3-4X4+2X5-2X6
Since(3+2X2-3X4+X6)*(-2+4X+2X2+4X3-4X4+2X5-2X6)= -10+22X+22X3-22X6
=1 (modulo 11)
[email protected] 85/23/2006
Presentation OutlineAlgebra Tutorial
Modular ArithmeticTruncated Polynomial RingsInverse in Truncated Polynomial Rings
The NTRU Public Key CryptosystemNTRU PKCS ParametersKey GenerationEncryptionDecryptionWhy It Works
Advanced Topics (Optimizations)Implementation Details
[email protected] 95/23/2006
NTRU PKCS ParametersRing R that consists of all truncated polynomials of degree N-1 having integer coefficients:
a =a0+a1X+a2X2+a3X3+…+aN-2XN-2+aN-1XN-1
N: the polynomials in the truncated polynomial ring have degree N-1q: large modular, the coefficients of the truncated polynomials will be reduced mod qp: small modular, as the final step in decryption, the coefficients of the message are reduced mod p
[email protected] 105/23/2006
NTRU PKCS Parameters
3256503Highest3128347High3128251Standard 3128167Moderate
pqNSecurity Level
Ntru167 ECC112 RSA512Ntru263 ECC168 RSA1024Ntru503 ECC196 RSA2048
From www.ntru.com, ntru tutorial
In this tutorial, N=11, q=32, p=3
[email protected] 115/23/2006
Key Generation
Randomly Choose two “small” polynomials f and g and keep them privateRandomly means coefficients is randomly distributed in p or q, small means the coefficients are much smaller than p or qCompute the inverse of f modulo q and the inverse of f modulo p
f*fq=1 (modulo q) and f*fp=1 (modulo p)
Public Key is: h=pfq*g (modulo q)
[email protected] 125/23/2006
Key Generation ExampleN=11, q=32, p=3Some method to generate f and g:df: The polynomial f has df coefficients equal to +1 and df -1 coefficients equal to -1, and all the rest are 0dg : The polynomial g has dg coefficients equal to +1 and dg coefficients equal to -1, and all the rest are 0The reason: f and g are “small” polynomials, f has to be inverse while g doesn’tdf=4 dg=3
f=-1+X+X2-X4+X6+X9-X10
g=-1+X2+X3+X5-X8-X10
[email protected] 135/23/2006
Key Generation Example (cont.)
fp=1+2X+2X3+2X4+X5+2X7+X8+2X9
fq=5+9X+6X2+16X3+4X4+15X6+22X7+20X8+18X9+30X10
How to generate fp and fq? Discuss it later.
H=pfq*g (modulo q) q=32, p=3g=-1+X2+X3+X5-X8-X10 (in previous slide)
H=8+25X+22X2+20X3+12X4+24X5+15X6+19X7+12X8+19X9+16X10
[email protected] 145/23/2006
Is fp really inverse of f , fp*f=1 (mod p) p=3 ? Verification
XN=1 (mod XN -1)a*b=c0+c1X+c2X2+…+cN-2XN-2+cN-1XN-1
ck=a0bk+a1bk-1+…+akb0+ak+1bN-1+ak+2bN-2+…aN-1bk+1
fp=1+2X+2X3+2X4+X5+2X7+X8+2X9
f = -1+X+X2-X4+X6+X9-X10
e. g. c0=1*(-1)+2*(-1)+0*1+2*0+2*0+1*1+
0*0+2*(-1)+1*0+2*1+0*1=(-1)+(-2)+1+(-2)+2= -2
Since p=3(-2) =1 (mod 3)
∑∑∑≡+
−
+=
−+
=
− =+=)(mod
1
10 Nkji
ji
N
ki
ikNi
k
i
ikik bababac
(1, 2, 0, 2, 2, 1, 0, 2, 1, 2, 0) (-1, 1, 1, 0, -1, 0, 1, 0, 0, 1, -1)
[email protected] 155/23/2006
How to compute H=pfq*g (mod q) q=32, p=3
Low Hamming Weight PolynomialsReference: J.Hoffstein, J.Silverman, “Random Small Hamming Weight Products With Applications to Cryptography,”http://www.ntru.com/cryptolab/articles.htm, Last Access, May 19,2006
e.g. (4,5,7)*(5,3,2)=4*(5,3,2)+5*(2,5,3)+7*(3,2,5)=(20,12,8)+(10,25,15)+(21,14,35)=(20+10+21, 12+25+14, 8+15+35)= (51,51,56)
[email protected] 165/23/2006
How to compute H=pfq*g (mod q) q=32, p=3 (cont.)
Using Low Hamming Weight Polynomialsfq=5+9X+6X2+16X3+4X4+15X5+16X6+22X7+20X8+18X9+30X10
g=-1+X2+X3+X5-X8-X10
H=pfq*g (mod q) p=3, q=32
(-1,0,1,1,0,1,0,0,-1,0,-1)*(5,9,6,16,4,15,16,22,20,18,30)=(-5,-9,-6,-16,-4,-15,-16,-22,-20,-18,-30)+(18,30,5,9,6,16,4,15,16,22,20)+(20,18,30,5,9,6,16,4,15,16, 22)+(16,22,20,18,30,5,9,6,16,4,15)+(-16,-4,-15,-16,-22,-20,-18,-30,-5,-9)+(-9,-6-16,-4,0,-15,-16,-22,-20,-18,-30,-5)=(24,51….)
-5+18+20+16-16-9=24 24*3=72 72=8 (mod 32)
H=8+25X+22X2+20X3+12X4+24X5+15X6+19X7+12X8+19X9+16X10
[email protected] 175/23/2006
Encryption
m is plaintext in the form of a polynomial whose coefficients are “small” mod qRandomly choose another “small” polynomial rr is “blinding value” which is used to obscure the message (similar to the way that ElGamalalgorithm use a one-time random value when encrypting)e = r*h +m (modulo q), e is encrypted message, m is plaintext, h is public key
[email protected] 185/23/2006
Encryption Example
r has dr coefficients equal to 1, dr-1 coefficients equal to -1, and all others are 0dr=3, r=-1+X2+X3+X4-X5-X7
m=-1+X3-X4-X8+X9+X10
h=8+25X+22X2+20X3+12X4+24X5+15X6+19X7+12X8+19X9+16X10
e=r*h+m (mod q)=(-1, 0,1,1,1,-1,0,-1,0,0,0)*(8,25,22,20,12,24,15,19,12,19,16)+(-1,0,0,1,-1,0,0,0,-1,1,1)
=14+11X+26X2+24X3+14X4+16X5+30X6+7X7+25X8+6X9+19X10
[email protected] 195/23/2006
Decryption
a = f*e (mod q), MUST choose coefficients of a to lie between -q/2 and q/2, e.g. for q=32, coefficients must lie in [-15, 16]b = a (mod p), MUST choose coefficients of b between -p/2 and p/2, for p=3, the range is [-1,1]c = fp*b (mod p), MUST choose coefficients of c between -p/2 and p/2, for p=3, the range is [-1,1]
[email protected] 205/23/2006
Decryption Example: a=f*e (mod q)
e=14+11X+26X2+24X3+14X4+16X5+30X6+7X7+25X8+6X9+19X10
f = -1+X+X2-X4+X6+X9-X10
(-1,1,1,0,-1,0,1,0,0,1,-1)*(14,11,26,24,14,16,30,7,25,6,19)mod 32, change coefficients to [-15,16]a=3-7X-10X2-11X3+10X4+7X5+6X6+7X7+5X8-3X9-7X10
denoted by (3,-7,-10,-11,10,7,6,7,5,-3,-7)
[email protected] 215/23/2006
Decryption Example: b=a (mod p)
a=3-7X-10X2-11X3+10X4+7X5+6X6+7X7+5X8-3X9-7X10
(3,-7,-10,-11,10,7,6,7,5,-3,-7)
b=a (mod 3), change coefficients to [-1,1]
b=-X-X2+X3+X4+X5+X7-X8-X10 (mod 3)(0,-1,-1,1,1,1,0,1,-1,0,-1)
[email protected] 225/23/2006
Decryption Example: c=fp*b (mod p)
fp=1+2X+2X3+2X4+X5+2X7+X8+2X9
(1,2,0,2,2,1,0,2,1,2,0)b=-X-X2+X3+X4+X5+X7-X8-X10
(0,-1,-1,1,1,1,0,1,-1,0,-1)
(0,-1,-1,1,1,1,0,1,-1,0,-1)*(1,2,0,2,2,1,0,2,1,2,0)=(0,-1,-2,0,-2, -2,-1,0,-2,-1,-2,0)+(0,0,-1,-2,0,-2, -2,-1,0,-2,-1,-2)+(1,2,0,1,2,0,2,2,1,0,2)+ (2,1,2,0,1,2,0,2,2,1,0)+(0,2,1,2,0,1,2,0,2,2,1)+(2,1,0,2,1,2,0,1,2,0,2)+(-2,-2,-1,0,-2,-1,-2,0,-1,-2,0)+(-2,0,-2,-2,-1,0,-2,-1,-2,0,-1)mod 3, change to [-1,1], therefore c = (-1,0,0,1,-1,0,0,0,-1,1,1)
m = (-1,0,0,1,-1,0,0,0,-1,1,1)
equal
[email protected] 235/23/2006
SummaryParameters: N, p (small prime), q (big number, power of 2, gcd(p,q)=1)Private Key: Two randomly generated “small”polynomials f, gComputing fq, fp, fq*q=1 (mod q), fp*p=1(mod p)Public key: h=pfq*g (mod q)Encryption: randomly generated “small” polynomial r as blind valuee=r*h+m (mod q), e is cipher text, m is plaintextDecryption: a=f*e (mod q), b=a (mod p), c=fp*b (mod p), change the coefficients, c is the result, which should be equal to m
[email protected] 245/23/2006
Why it Works
a=f*e (mod q) =f*(r*h+m) (mod q) =f*(r*pfq*g+m) (mod q) =pr*g+f*m (mod q)
[e=r*h+m (mod q)]
[h=pfq*g (mod q)]
[f*fq=1 (mod q)]
The polynomial r, g, f, m all have coefficients that are quite small, so the coefficients of r*g and f*m are also quite small, at least in comparison to q. Since prime p is also small compared to q, this means the polynomial pr*g+f*m lie between –q/2 and q/2, so reducing the coefficients mod q has no effect.
b=a=f*m (mod p)c=fp*b=fp*f*m=m (mod p) [since fp*f=1 (mod p)]
[email protected] 255/23/2006
Presentation OutlineAlgebra Tutorial
Modular ArithmeticTruncated Polynomial RingsInverse in Truncated Polynomial Rings
The NTRU Public Key CryptosystemNTRU PKCS ParametersKey GenerationEncryptionDecryptionWhy It Works
Advanced Topics (Optimizations)Implementation Details
[email protected] 265/23/2006
Optimizations
Reference:J. Hoffstein, J. Silverman, “Optimizations for NTRU,” In: Proc. of Public-Key Cryptography and Computational Number Theory (Warsaw, September 11-15, 2000), Walter de Gruyter, Berlin-New York, 2001.J. Hoffstein, J. Silverman, “Random Small Hamming Weight Products with Applications to Cryptography,” In: Proc. of Com2MaC Workshop on Cryptography(Pohang, Korea, June 2000), Discrete Mathematics, to appear.
[email protected] 275/23/2006
Optimizations (cont.)
Polynomial MultiplicationLow Hamming Weight Polynomialse.g. m, f, g, r, Products of Small Hamming Weight Polynomialse.g. h=pfq*g (mod q), e=r*h+m (mod q), a=f*e (mod q)Instead of taking f to be a single small polynomials, form it by combining several even smaller polynomials
e.g. in full-size versions of the cryptosystem, with N=251, usually take small polynomials so that about one third of the coefficients are non-zero
[email protected] 285/23/2006
Optimizations (cont.)
e.g. for computing i*a, i=[1,0,1,1,1,1,1,1,0,0,1,1,0]i=i1*i2=[1,0,1,0,0,0,0,1,0,0,0,0,0]*
[1,0,0,1,1,0,0,0,0,0,0,0,0]I has 9 ones, so i*a take 9 additions pre coefficientIf we instead I with i1 and i2 First calculate i2*a, it take 3 additions pre coefficient, then calculate i1*(i2*a), it take another 3 additions per coefficient, so the total is 6 additions per coefficient, only take 2/3 as long
[email protected] 295/23/2006
Optimizations (cont.)
For commercial ntru, N=251Short vector have about 72 non-zero coefficientsFor decryption, a = f*e (mod q), let f=1+p*FdF=72, f=1+p*((f1*f2)+f3)df1=8,df2=8,df3=8, so it takes 24 additions pre coefficients, not 72For encryption, e=r*h+m (mod q), let r=(r1*r2)+r3 dr1=8, dr2=8, dr3=8, so it takes 24 additions pre coefficients, not 72
[email protected] 305/23/2006
Presentation OutlineAlgebra Tutorial
Modular ArithmeticTruncated Polynomial RingsInverse in Truncated Polynomial Rings
The NTRU Public Key CryptosystemNTRU PKCS ParametersKey GenerationEncryptionDecryptionWhy It Works
Advanced Topics (Optimizations)Implementation Details
[email protected] 315/23/2006
Implementation Details
Source code:www.cs.unlv.edu/~renw/ntru_v22.c
Document:www.cs.unlv.edu/~renw/ntru-tutorial-impl.pdf
Language: ANSI CCompile: gcc ntru_v22.c –o ntruUsage: ntru plaintext (max length is 11, ‘0’ and ‘1’ character)eg. Ntru 11111000001
[email protected] 325/23/2006
Functions in Program
GF_Ntru_ParameterSetup(11,32,3);GF_Ntru_PrivateKeyGen();GF_Ntru_PublicKeyGen();GF_Ntru_BlindValueGen();GF_Ntru_GetPlainText();GF_Ntru_Encrypt();GF_Ntru_Decrypt();GF_Debug_Check_Result();
[email protected] 335/23/2006
Program Organizations
GF_Ntru_ParameterSetup(11,32,3)
GF_Ntru_PrivateKeyGen()
GF_Ntru_PublicKeyGen()
GF_Ntru_BlindValueGen()
GF_Ntru_GetPlainText()
GF_Debug_Check_Result()
GF_Ntru_Encrypt()
GF_Ntru_Decrypt()
Main()
Data Flow Diagram Function-Calling Graph
GF_Ntru_ParameterSetup
GF_Ntru_PrivateKeyGen
GF_Ntru_PublicKeyGen
GF_Ntru_BlindValueGen
GF_Ntru_GetPlainText
GF_Ntru_Encrypt
GF_Ntru_Decrypt
[email protected] 345/23/2006
Implementation Details (cont.)for(t=0;t<GV_N;t++) //using low weight hamming polynomial multiplication{
if (r[t]==1){
for(i=0;i<GV_N;i++)e[i]=e[i]+h[i];
}if (r[t]==-1){
for(i=0;i<GV_N;i++)e[i]=e[i]-h[i];
}// h[ ] one right shiftint swaptemp=h[GV_N-1];for (i=GV_N-1;i>0;i--){
h[i]=h[i-1];}h[0]=swaptemp;
}
Low weight hamming polynomial product, e.g. e=r*h + m (mod q)
[email protected] 355/23/2006
What’s Next
Implement commercial version, NTRU503, (on-going, in debugging stage)Hardware-software co-design Optimization
montogomery multiplication hardware implementation (VHDL, ModelSim)
Performance comparison between RSA, ECC in sensor network platformScrutiny of NTRU security (Lattices) Ntru-based Key management (authentication, signature) for wireless sensor network security
[email protected] 365/23/2006
Acknowledgement
I would like to thank Prof. Yoohwan Kim, Prof. Mei Yang and Prof. Yingtao Jiang for the insightful comments and discussions.
[email protected] 375/23/2006
ReferencesThe NTRU Public Key Cryptosystem – A Tutorial,
http://www.ntru.com/cryptolab/tutorials.htm, last access is May 19, 2006
The End and Thanks