Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From - - PowerPoint PPT Presentation

mod ntru trapdoors and applications
SMART_READER_LITE
LIVE PREVIEW

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From - - PowerPoint PPT Presentation

Mar 17, 2024 256 likes •541 views

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehl and Keita Xagawa, ePrint 2019/1456 1/17 A.

slide-1
SLIDE 1

Mod-NTRU trapdoors and applications

Alexandre Wallet

Lattices: From Theory to Practice

Simons Institute, 29/04/2020

Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehlé and Keita Xagawa, ePrint 2019/1456

1/17

  • A. Wallet
slide-2
SLIDE 2

Today’s talk

A larger class of almost “optimal” trapdoors from NTRU modules Known applications: (not detailed today) (A) New meaningful security/efficiency trade-offs for GPV signatures Acceptably efficient PKE/KEM à la NTRUEncrypt (B) Extension of [DLP’14]’s IBE

(A) see our article (B) Cheon, Kim, Kim, and Son, ePrint 2019/1468

2/17

  • A. Wallet
slide-3
SLIDE 3

Roadmap

1

Lattice trapdoors, NTRU lattices

2

Hard NTRU lattices with half-trapdoors

3

Completing the trapdoor, application to signatures

3/17

  • A. Wallet
slide-4
SLIDE 4

Lattice trapdoors

Parity-check lattices For A ∈ Zm×n and q ∈ Z Λ⊥

q (A) = {x ∈ Zm : xA = 0 mod q}.

[Ajt’96] (Λ⊥

q (A))A are “hard lattices”: for A ← U(Zm×n q

), SISm,q ≥ SIVPpoly(n) A trapdoor is a short basis B of Λ⊥

q (A).

(Bmax := maxi bi is small) What is “optimal”? Bmax ≈ Vol(Λ⊥

q (A))1/m, where

B = GSO(B).

4/17

  • A. Wallet
slide-5
SLIDE 5

Canonical example: GPV signatures

If B is basis of Λ⊥

q (A), then BA = 0 mod q

Simplified SignB(msg) : c such that cA = H(msg) v ← DL(B),c,σ with TheSampler† Signature: s = c − v. Simplified VerifA(msg, s) : If s too big, refuse. If sA = H(msg), refuse. Accept.

Requirements σ small ⇒ B short Hard to compute B from A Easy to generate (A, B) B Gaussian of std.dev. σ ⇒ s ≈ σ√m Want n and q s.t. SISm,q,σ√m is hard

  • Method determines m = m(n, q).

†: remember Thomas’ talk

5/17

  • A. Wallet
slide-6
SLIDE 6

Development of lattice trapdoors

Algorithms to generate trapdoored hard lattices: [Ajt’99] A hard and Bmax = O(m5/2). [AP’09] A hard, m = Ω(n log q)

  • Bmax = O(√n log q)
  • B = GSO(B)

✕ optimal ✕ practical ✓ optimal ✕ practical

6/17

  • A. Wallet
slide-7
SLIDE 7

Development of lattice trapdoors

Algorithms to generate trapdoored hard lattices: [Ajt’99] A hard and Bmax = O(m5/2). [AP’09] A hard, m = Ω(n log q)

  • Bmax = O(√n log q)

[MP’12] Meaningful improvements But still B = O(√n log q)

  • B = GSO(B)

✕ optimal ✕ practical ✓ optimal ✕ practical getting there!

6/17

  • A. Wallet
slide-8
SLIDE 8

Development of lattice trapdoors

Algorithms to generate trapdoored hard lattices: [Ajt’99] A hard and Bmax = O(m5/2). [AP’09] A hard, m = Ω(n log q)

  • Bmax = O(√n log q)

[MP’12] Meaningful improvements But still B = O(√n log q) [DLP’14] A an NTRU lattice, m = 2n

  • Bmax ≈ √q

Today: A an NTRU lattice, m = cn

  • Bmax ≈ q

1 c .

  • B = GSO(B)

✕ optimal ✕ practical ✓ optimal ✕ practical getting there! ✓ optimal ✓ practical

6/17

  • A. Wallet
slide-9
SLIDE 9

NTRU modules

R = Z[X]/(φ), deg φ = n, irreducible. q a prime f =

i fiXi

(f0, . . . , fn−1) or T(f) multiplication matrix

F ∈ Rm×m invertible mod q, G ∈ Rm×k

7/17

  • A. Wallet
slide-10
SLIDE 10

NTRU modules

R = Z[X]/(φ), deg φ = n, irreducible. q a prime f =

i fiXi

(f0, . . . , fn−1) or T(f) multiplication matrix

F ∈ Rm×m invertible mod q, G ∈ Rm×k Lm,k

NTRU := Λ⊥ q ([H| − Ik]) = {(u, v) ∈ R(m+k) : uH − v = 0 mod q},

(full) rank (m + k)n lattice with volume qkn easy (public) basis: Minima, covering radius, smoothing parameter all are ≈ qk/(m+k)

7/17

  • A. Wallet
slide-11
SLIDE 11

Use of NTRU modules

Non exhaustive; all of these are for m = k = 1 PKE/KEM: NTRUEncrypt [HPS’98] NTRUEnc-HRSS [HH+’17] NTRUPrime [BCLV’17] Advanced: HE [LTV’12] Multilinear maps [GGH’13] IBE [DLP’14] Signatures: NTRUSign [HHS+’03] Falcon (from [DLP’14] from [GPV’08]) BLISS [DDLL’13]

8/17

  • A. Wallet
slide-12
SLIDE 12

Where are we?

1

Lattice trapdoors, NTRU lattices

2

Hard NTRU lattices with half-trapdoors Trapdoor generation, a starter Hardness of trapdoored NTRU

3

Completing the trapdoor, application to signatures

9/17

  • A. Wallet
slide-13
SLIDE 13

How to generate a useful NTRU module

Trapdoor basis B = F G ∗ ∗

  • should give us

T(B)max ≈ qk/(m+k) Lemma: If B = [b1, . . . , bm+k], then:

  • T(B)max = maxi{

b1, . . . , bm+k} ≥ qk/(m+k) A starter: take s ≈ qk/(m+k) 1) Sample bi ← Dm+k

R,s

for 1 ≤ i ≤ m 2) Parse as [b1, . . . , bm] = [F|G]; restart if F not invertible mod q

10/17

  • A. Wallet
slide-14
SLIDE 14

How to generate a useful NTRU module

Trapdoor basis B = F G ∗ ∗

  • should give us

T(B)max ≈ qk/(m+k) Lemma: If B = [b1, . . . , bm+k], then:

  • T(B)max = maxi{

b1, . . . , bm+k} ≥ qk/(m+k) A starter: take s ≈ qk/(m+k) 1) Sample bi ← Dm+k

R,s

for 1 ≤ i ≤ m 2) Parse as [b1, . . . , bm] = [F|G]; restart if F not invertible mod q Caveat: orthogonal projections shrink vectors by some factor γi ⇒ b1 will be maximal, completion of basis will compensate.

10/17

  • A. Wallet
slide-15
SLIDE 15

How to generate a useful NTRU module

Trapdoor basis B = F G ∗ ∗

  • should give us

T(B)max ≈ qk/(m+k) Lemma: If B = [b1, . . . , bm+k], then:

  • T(B)max = maxi{

b1, . . . , bm+k} ≥ qk/(m+k) A better start: set si ≈ γi · qk/(m+k) 1) Sample bi ← Dm+k

R,si for 1 ≤ i ≤ m

2) Parse as [b1, . . . , bm] = [F|G]; restart if F not invertible mod q Output a half-trapdoor for H = F−1G mod q. Remaining problems: Is Λ⊥

q (H) a hard lattice ?

How to complete the basis? Will the completion be nice?

10/17

  • A. Wallet
slide-16
SLIDE 16

How hard are trapdoored NTRU lattices?

“NTRU assumption” Computational Hard to compute F, G from H Well, if not, it’s not a trapdoor... Decisional Hard to distinguish H from U(Rm×k

q

) Needed for Λ⊥

q (H) to be “hard”

Call Es the distribution of H = F−1G mod q

11/17

  • A. Wallet
slide-17
SLIDE 17

How hard are trapdoored NTRU lattices?

“NTRU assumption” Computational Hard to compute F, G from H Well, if not, it’s not a trapdoor... Decisional Hard to distinguish H from U(Rm×k

q

) Needed for Λ⊥

q (H) to be “hard”

Call Es the distribution of H = F−1G mod q New result: Φ = Xn + 1, n a power of two, q ≡ 3 mod 8, for 3k ≥ m ≥ 1 When s ≥ O(n · q

k m+k ), then Es ≈ U(Rm×k

q

) [SS’11] for m = k = 1, the result hold for all q. Strongly supports hardness of the trapdoored NTRU lattices

11/17

  • A. Wallet
slide-18
SLIDE 18

On the uniformity of the public basis

New result: Φ = Xn + 1, n a power of two, q ≡ 3 mod 8, for 3k ≥ m ≥ 1, when s ≥ O(n · q

k m+k ), then Es ≈ U(Rm×k

q

)

Intermediate useful result: if q = p1 . . . pr, when s ≥ O(n · q

1 2r ), then PF←Dm×m R,s

[F invertible mod q] ≥ 1 −

4n qn/r

12/17

  • A. Wallet
slide-19
SLIDE 19

On the uniformity of the public basis

New result: Φ = Xn + 1, n a power of two, q ≡ 3 mod 8, for 3k ≥ m ≥ 1, when s ≥ O(n · q

k m+k ), then Es ≈ U(Rm×k

q

)

Intermediate useful result: if q = p1 . . . pr, when s ≥ O(n · q

1 2r ), then PF←Dm×m R,s

[F invertible mod q] ≥ 1 −

4n qn/r

Proof ideas/tools: Inspired of [SS’11] and [LPR’13] Involve module “multi-lattices” (additive subgroups of Mm(R), see also [BF’11]) {Mod q invertibles} is not a lattice; our strategy to describe it: inclusion/exclusion over *all* lattices containing qMm(R) (They correspond to *all* r-uples of subspaces of (Fqn/r)m)

12/17

  • A. Wallet
slide-20
SLIDE 20

1

Lattice trapdoors, NTRU lattices

2

Hard NTRU lattices with half-trapdoors Trapdoor generation, a starter Hardness of trapdoored NTRU

3

Completing the trapdoor, application to signatures

13/17

  • A. Wallet
slide-21
SLIDE 21

Generating a somewhat short basis1

From now on, k = 1 and m ≥ 1. with [F|g] = [b1, . . . , bn] and bi ← Dm+1

R,si

Now, need (f ′, g′) ∈ Rm+1 such that

slide-22
SLIDE 22

Generating a somewhat short basis1

From now on, k = 1 and m ≥ 1. with [F|g] = [b1, . . . , bn] and bi ← Dm+1

R,si

Now, need (f ′, g′) ∈ Rm+1 such that With Shur’s complement and adj(F) = det(F) · F−1 ∈ Rm×m: D = det(F) · det(g′ − f ′ · F−1 · g) = g′ · det(F)

known

∈ R

−f ′ · adj(F)g

  • known

∈ Rm

Take f ′ = (. . . , 0, f ′

i, 0, . . . ) ⇒ back to solving an NTRU equation

(remember Thomas’ talk)

1For another approach, see Cheon et al. ePrint 2019/1468

14/17

  • A. Wallet
slide-23
SLIDE 23

Almost optimal trapdoors

Last problem: how large is bm+1 = (f ′, g′)? Fact 1: bm+1 ≥ q

  • i

bi Since all bi’s are about q1/(m+1),

  • bm+1 should be, too.

Fact 2: bm+1 computable from b1, . . . , bm without knowing bm+1

15/17

  • A. Wallet
slide-24
SLIDE 24

Almost optimal trapdoors

Last problem: how large is bm+1 = (f ′, g′)? Fact 1: bm+1 ≥ q

  • i

bi Since all bi’s are about q1/(m+1),

  • bm+1 should be, too.

Fact 2: bm+1 computable from b1, . . . , bm without knowing bm+1 Finishing the trapdoor generation: 1) for 1 ≤ i ≤ m, resample any vector that is too far from q1/(m+1) 2) Compute bm+1, restart if too large 3) Compute bm+1 and output (H, B). bi’s close to λi’s, T(B)max close to ηǫ(Λ⊥

q (H))

These trapdoors are almost optimal.

15/17

  • A. Wallet
slide-25
SLIDE 25

A practical application: Mod-Falcon2

m n s Qsec Falcon-512 1 512 6598 109 Falcon-1024 1 1024 9331 252 Mod-Falcon 2 512 1512 174 Minimizing |sig| |vk| |sig| 897 658 1793 1274 1792 972 Minimizing |sig|+|vk| |vk| |sig| 28 1276 63 2508 940 1438

security/efficiency trade-off for Falcon

2To appear at AsiaCCS 2020; all size expressed in bytes

16/17

  • A. Wallet
slide-26
SLIDE 26

A practical application: Mod-Falcon2

m n s Qsec Falcon-512 1 512 6598 109 Falcon-1024 1 1024 9331 252 Mod-Falcon 2 512 1512 174 Minimizing |sig| |vk| |sig| 897 658 1793 1274 1792 972 Minimizing |sig|+|vk| |vk| |sig| 28 1276 63 2508 940 1438

security/efficiency trade-off for Falcon

|vk| |sig| Qsec dilithium-III 1472 2701 125 qTesla-p-I 14880 2592 140 dilithium-IV 1760 3366 158 Mod-Falcon 1792 972 174 940 1438

more compact for equivalent security

2To appear at AsiaCCS 2020; all size expressed in bytes

16/17

  • A. Wallet
slide-27
SLIDE 27

Food for thoughts

Question 1: We have almost optimal trapdoors for h = F−1g Can this be extended to almost optimal trapdoors for H = F−1G?

(main problem: how to complete the basis?)

Question 2: We can use them for signature/IBE. Can we use these new trapdoors for something else?

Can half-trapdoors’ usefulness be improved too?

Question 3: Extend uniformity results to all q’s

And to more fields (Galois, all?)

Generally, find new tools/techniques to compute Gaussian mass of subsets

Also, related to repartition of algebraic numbers

17/17

  • A. Wallet
slide-28
SLIDE 28

Food for thoughts

Question 1: We have almost optimal trapdoors for h = F−1g Can this be extended to almost optimal trapdoors for H = F−1G?

(main problem: how to complete the basis?)

Question 2: We can use them for signature/IBE. Can we use these new trapdoors for something else?

Can half-trapdoors’ usefulness be improved too?

Question 3: Extend uniformity results to all q’s

And to more fields (Galois, all?)

Generally, find new tools/techniques to compute Gaussian mass of subsets

Also, related to repartition of algebraic numbers

17/17

  • A. Wallet