NTRU Cryptosystem: Recent Developments Ron Steinfeld School of IT - - PowerPoint PPT Presentation

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU Cryptosystem: Recent Developments

Ron Steinfeld School of IT Monash University, Australia (partly based on joint work with Damien Stehl´ e, ENS Lyon, France) Johann Radon Institute (RICAM), Linz, Austria, December 2013

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 1/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Outline of the talk

1- Introduction

Background: Why study NTRU?

2- NTRU Cryptosystem: Review 3- Recent Developments on NTRU Security

NTRU variant provably as secure as worst-case lattice problems Tools: Discrete Gaussians, Fourier analysis, Ring-LWE

4- Recent Developments on NTRU Applications

Fully-Homomorphic Encryption (FHE) from NTRU Cryptographic Multilinear Maps from NTRU

5- Concluding Remarks

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 2/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

The NTRU Cryptosystem

NTRUEncrypt: A public-key encryption scheme. 1996: Proposed by Hoffstein, Pipher & Silverman. 1997: Lattice attacks by Coppersmith & Shamir. 1998: Revised by Hoffstein et al. In the last 15 years: Several minor improvements to the lattice attacks. Attacks for isolated sets of parameters. But the design has proved very robust. In the last 3 years (this talk): Variants with a provable security foundation Variants with new functionality

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 3/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

The NTRU Cryptosystem

NTRUEncrypt: A public-key encryption scheme. 1996: Proposed by Hoffstein, Pipher & Silverman. 1997: Lattice attacks by Coppersmith & Shamir. 1998: Revised by Hoffstein et al. In the last 15 years: Several minor improvements to the lattice attacks. Attacks for isolated sets of parameters. But the design has proved very robust. In the last 3 years (this talk): Variants with a provable security foundation Variants with new functionality

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 3/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

The NTRU Cryptosystem

NTRUEncrypt: A public-key encryption scheme. 1996: Proposed by Hoffstein, Pipher & Silverman. 1997: Lattice attacks by Coppersmith & Shamir. 1998: Revised by Hoffstein et al. In the last 15 years: Several minor improvements to the lattice attacks. Attacks for isolated sets of parameters. But the design has proved very robust. In the last 3 years (this talk): Variants with a provable security foundation Variants with new functionality

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 3/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Why study NTRU Cryptosystem?

Standardized: IEEE P1363. Commercialized: Security Innovation. Super-fast (comparison to 1024-bit RSA, based on an NTRU brochure):

Encryption ∼ 10 times faster Decryption ∼ 100 times faster Asymptotically: O(λ) versus O(λ6), for security 2λ

Interesting security features:

No integer factoring nor discrete logs Seems to resist practical attacks Seems to resist quantum attacks

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 4/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Why study NTRU Cryptosystem?

Standardized: IEEE P1363. Commercialized: Security Innovation. Super-fast (comparison to 1024-bit RSA, based on an NTRU brochure):

Encryption ∼ 10 times faster Decryption ∼ 100 times faster Asymptotically: O(λ) versus O(λ6), for security 2λ

Interesting security features:

No integer factoring nor discrete logs Seems to resist practical attacks Seems to resist quantum attacks

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 4/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Why study NTRU Cryptosystem?

Standardized: IEEE P1363. Commercialized: Security Innovation. Super-fast (comparison to 1024-bit RSA, based on an NTRU brochure):

Encryption ∼ 10 times faster Decryption ∼ 100 times faster Asymptotically: O(λ) versus O(λ6), for security 2λ

Interesting security features:

No integer factoring nor discrete logs Seems to resist practical attacks Seems to resist quantum attacks

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 4/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Polynomial Rings

Take φ ∈ Z[x] monic of degree n. Rφ :=

• Z[x]/(φ), +, ×
• .

Interesting φ’s: φ = xn − 1 → R−, φ = xn + 1 → R+. For n a power of 2, the ring R+ is isomorphic to the ring of integers of K = Q[eiπ/n]: K ≃ Q[x]/(xn + 1) OK ≃ Z[x]/(xn + 1). ⇒ Rich algebraic structure (great for design and proofs).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 5/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Polynomial Rings

Take φ ∈ Z[x] monic of degree n. Rφ :=

• Z[x]/(φ), +, ×
• .

Interesting φ’s: φ = xn − 1 → R−, φ = xn + 1 → R+. For n a power of 2, the ring R+ is isomorphic to the ring of integers of K = Q[eiπ/n]: K ≃ Q[x]/(xn + 1) OK ≃ Z[x]/(xn + 1). ⇒ Rich algebraic structure (great for design and proofs).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 5/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Polynomial Rings

Take φ ∈ Z[x] monic of degree n. Rφ :=

• Z[x]/(φ), +, ×
• .

Interesting φ’s: φ = xn − 1 → R−, φ = xn + 1 → R+. For n a power of 2, the ring R+ is isomorphic to the ring of integers of K = Q[eiπ/n]: K ≃ Q[x]/(xn + 1) OK ≃ Z[x]/(xn + 1). ⇒ Rich algebraic structure (great for design and proofs).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 5/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Polynomial Rings

Let q ≥ 2 and Zq = Z/qZ. Rφ

q

:=

• Zq[x]/(φ), +, ×
• .

Arithmetic in Rφ

q costs

O(n log q). R+

q is isomorphic to OK/(q).

The key to decryption correctness If f ∈ Rφ is known to have coefficients in (−q/2, q/2), then f mod q uniquely determines f .

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 6/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Polynomial Rings

Let q ≥ 2 and Zq = Z/qZ. Rφ

q

:=

• Zq[x]/(φ), +, ×
• .

Arithmetic in Rφ

q costs

O(n log q). R+

q is isomorphic to OK/(q).

The key to decryption correctness If f ∈ Rφ is known to have coefficients in (−q/2, q/2), then f mod q uniquely determines f .

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 6/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Polynomial Rings

Let q ≥ 2 and Zq = Z/qZ. Rφ

q

:=

• Zq[x]/(φ), +, ×
• .

Arithmetic in Rφ

q costs

O(n log q). R+

q is isomorphic to OK/(q).

The key to decryption correctness If f ∈ Rφ is known to have coefficients in (−q/2, q/2), then f mod q uniquely determines f .

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 6/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU Cryptosystem: Key Generation

Parameters: n prime, q ≈ n a power of 2, p small, φ = xn − 1.

(e.g. (n, q, p) = (503, 256, 3)).

Secret key sk: f , g ∈ R− sampled indep. from distrib. χσ with:

f is invertible mod q and mod p The coeffs of f and g are small

Supp(χσ) = {−1, 0, 1}n.

Public key pk: h = g/f mod q. Security intuition Given h ∈ R−

q , finding g, f ∈ R− small s.t. h = g/f [q] is hard.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 7/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU Cryptosystem: Key Generation

Parameters: n prime, q ≈ n a power of 2, p small, φ = xn − 1.

(e.g. (n, q, p) = (503, 256, 3)).

Secret key sk: f , g ∈ R− sampled indep. from distrib. χσ with:

f is invertible mod q and mod p The coeffs of f and g are small

Supp(χσ) = {−1, 0, 1}n.

Public key pk: h = g/f mod q. Security intuition Given h ∈ R−

q , finding g, f ∈ R− small s.t. h = g/f [q] is hard.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 7/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU Cryptosystem: Key Generation

Parameters: n prime, q ≈ n a power of 2, p small, φ = xn − 1.

(e.g. (n, q, p) = (503, 256, 3)).

Secret key sk: f , g ∈ R− sampled indep. from distrib. χσ with:

f is invertible mod q and mod p The coeffs of f and g are small

Supp(χσ) = {−1, 0, 1}n.

Public key pk: h = g/f mod q. Security intuition Given h ∈ R−

q , finding g, f ∈ R− small s.t. h = g/f [q] is hard.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 7/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU Cryptosystem: Key Generation

Parameters: n prime, q ≈ n a power of 2, p small, φ = xn − 1.

(e.g. (n, q, p) = (503, 256, 3)).

Secret key sk: f , g ∈ R− sampled indep. from distrib. χσ with:

f is invertible mod q and mod p The coeffs of f and g are small

Supp(χσ) = {−1, 0, 1}n.

Public key pk: h = g/f mod q. Security intuition Given h ∈ R−

q , finding g, f ∈ R− small s.t. h = g/f [q] is hard.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 7/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU Cryptosystem: Encryption and Decryption

sk: f , g ∈ R− small with f invertible mod q and mod p pk: h = g/f mod q Encryption of M ∈ R with coeffs in {0, . . . , p − 1}: Sample s, e ∈ R−

q from distrib. χρ, χβ resp. with small coeffs

– Supp(χρ) = {−1, 0, 1}n, Supp(χβ) = {0}). Send C := p(hs + e) + M mod q Decryption of C ∈ R−

q :

f × C = p(gs + fe) + fM mod q Smallness ⇒ equality holds over R− (f × C mod q) mod p = fM mod p Multiply by the inverse of f mod p Security intuition The mask p(hs + e) hides the plaintext M in the ciphertext C.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 8/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattices Background: Approx-SVP

Lattice ≡ {

i≤n xibi : xi ∈ Z},

for some lin. independent bi’s. Minimum: λ(L) = min(b : b ∈ L \ 0) γ-SVP Find b ∈ L with: 0 < b ≤ γ · λ(L). No known sub-exp. algorithm for γ = Poly(n). Not even quantumly. Seems harder than Int-Fac and DLog.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 9/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattices Background: Approx-SVP

Lattice ≡ {

i≤n xibi : xi ∈ Z},

for some lin. independent bi’s. Minimum: λ(L) = min(b : b ∈ L \ 0) γ-SVP Find b ∈ L with: 0 < b ≤ γ · λ(L). No known sub-exp. algorithm for γ = Poly(n). Not even quantumly. Seems harder than Int-Fac and DLog.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 9/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattices Background: Approx-SVP

Lattice ≡ {

i≤n xibi : xi ∈ Z},

for some lin. independent bi’s. Minimum: λ(L) = min(b : b ∈ L \ 0) γ-SVP Find b ∈ L with: 0 < b ≤ γ · λ(L). No known sub-exp. algorithm for γ = Poly(n). Not even quantumly. Seems harder than Int-Fac and DLog.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 9/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattice Background: Approx-Ideal-SVP

I ⊆ Rφ is an ideal if: ∀a, b ∈ I, ∀r ∈ Rφ : a + b · r ∈ I. We identify polynomials to vectors via their coefficients: Rφ → Zn

• i<n fixi

→ (f0, . . . , fn−1)t An ideal I is mapped to an integer lattice. Poly(n)-Ideal-SVP: Poly(n)-SVP restricted to ideal lattices. No known computational advantage for this family of inputs.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 10/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattice Background: Approx-Ideal-SVP

I ⊆ Rφ is an ideal if: ∀a, b ∈ I, ∀r ∈ Rφ : a + b · r ∈ I. We identify polynomials to vectors via their coefficients: Rφ → Zn

• i<n fixi

→ (f0, . . . , fn−1)t An ideal I is mapped to an integer lattice. Poly(n)-Ideal-SVP: Poly(n)-SVP restricted to ideal lattices. No known computational advantage for this family of inputs.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 10/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattice Background: Approx-Ideal-SVP

I ⊆ Rφ is an ideal if: ∀a, b ∈ I, ∀r ∈ Rφ : a + b · r ∈ I. We identify polynomials to vectors via their coefficients: Rφ → Zn

• i<n fixi

→ (f0, . . . , fn−1)t An ideal I is mapped to an integer lattice. Poly(n)-Ideal-SVP: Poly(n)-SVP restricted to ideal lattices. No known computational advantage for this family of inputs.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 10/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Lattice Background: Approx-Ideal-SVP

I ⊆ Rφ is an ideal if: ∀a, b ∈ I, ∀r ∈ Rφ : a + b · r ∈ I. We identify polynomials to vectors via their coefficients: Rφ → Zn

• i<n fixi

→ (f0, . . . , fn−1)t An ideal I is mapped to an integer lattice. Poly(n)-Ideal-SVP: Poly(n)-SVP restricted to ideal lattices. No known computational advantage for this family of inputs.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 10/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Security of NTRU: Lattice Attacks

Coppersmith-Shamir Lattice attack: Given h = g/f ∈ Rq, small secret key (f , g) ∈ R2) satisfies: f · h − g = 0 mod q. Set of all solutions (f ′, f ′h + qR) ∈ R2 to above is a 2n-dim. Z-lattice LNTRU with row basis In rot(h) qIn

• ,

(1) called the NTRU lattice. Attack: (f , g) = λ1(LNTRU) → Run γ-SVP on LNTRU, hope to get small multiple of (f , g). Catch: (q, 0) ∈ LNTRU, so need γ ≤ q/(f , g) = O(Poly(n)). Recall: Best known alg. for Poly(n)-SVP take time 2Ω(n)!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 11/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Security of NTRU: Lattice Attacks

Coppersmith-Shamir Lattice attack: Given h = g/f ∈ Rq, small secret key (f , g) ∈ R2) satisfies: f · h − g = 0 mod q. Set of all solutions (f ′, f ′h + qR) ∈ R2 to above is a 2n-dim. Z-lattice LNTRU with row basis In rot(h) qIn

• ,

(1) called the NTRU lattice. Attack: (f , g) = λ1(LNTRU) → Run γ-SVP on LNTRU, hope to get small multiple of (f , g). Catch: (q, 0) ∈ LNTRU, so need γ ≤ q/(f , g) = O(Poly(n)). Recall: Best known alg. for Poly(n)-SVP take time 2Ω(n)!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 11/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Security of NTRU: Lattice Attacks

Coppersmith-Shamir Lattice attack: Given h = g/f ∈ Rq, small secret key (f , g) ∈ R2) satisfies: f · h − g = 0 mod q. Set of all solutions (f ′, f ′h + qR) ∈ R2 to above is a 2n-dim. Z-lattice LNTRU with row basis In rot(h) qIn

• ,

(1) called the NTRU lattice. Attack: (f , g) = λ1(LNTRU) → Run γ-SVP on LNTRU, hope to get small multiple of (f , g). Catch: (q, 0) ∈ LNTRU, so need γ ≤ q/(f , g) = O(Poly(n)). Recall: Best known alg. for Poly(n)-SVP take time 2Ω(n)!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 11/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU variant provably as secure as worst-case lattice problems

Motivation: NTRU lattices have a special algebraic structure. What if an efficient approx-SVP algorithm could be tailored to NTRU lattices? Could there exist a non-negligible fraction of “weak” NTRU lattices? Theorem[Stehl´ e, Steinfeld 2011] There is a choice of parameters for NTRU Cryptosystem so that: Encryption/decryption of λ bits still cost O(λ), Any polynomial-time IND attack leads to a polynomial-time quantum algorithm for Poly(n)-Ideal-SVP that works for all inputs.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 12/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

NTRU variant provably as secure as worst-case lattice problems

Motivation: NTRU lattices have a special algebraic structure. What if an efficient approx-SVP algorithm could be tailored to NTRU lattices? Could there exist a non-negligible fraction of “weak” NTRU lattices? Theorem[Stehl´ e, Steinfeld 2011] There is a choice of parameters for NTRU Cryptosystem so that: Encryption/decryption of λ bits still cost O(λ), Any polynomial-time IND attack leads to a polynomial-time quantum algorithm for Poly(n)-Ideal-SVP that works for all inputs.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 12/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Indistinguishability (IND) Security Definition

Modern security definition for public-key encryption (against passive eavesdropping) For b ∈ {0, 1}, two phase game Gb with adversary A: Phase 1:

A is given public key pk from key generation algorithm KG(n). A outputs two challenge messages m0, m1.

Phase 2:

A is given challenge ciphertext cb = Enc(pk, mb). A outputs an estimate b′ for bit b.

Indistinguishability (IND) Security For all Poly(n)-time A, Adv(A) def = | PrG1[b′ = 1] − PrG0[b′ = 1]| = n−ω(1) = neg(n).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 13/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Indistinguishability (IND) Security Definition

Modern security definition for public-key encryption (against passive eavesdropping) For b ∈ {0, 1}, two phase game Gb with adversary A: Phase 1:

A is given public key pk from key generation algorithm KG(n). A outputs two challenge messages m0, m1.

Phase 2:

A is given challenge ciphertext cb = Enc(pk, mb). A outputs an estimate b′ for bit b.

Indistinguishability (IND) Security For all Poly(n)-time A, Adv(A) def = | PrG1[b′ = 1] − PrG0[b′ = 1]| = n−ω(1) = neg(n).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 13/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Indistinguishability (IND) Security Definition

Modern security definition for public-key encryption (against passive eavesdropping) For b ∈ {0, 1}, two phase game Gb with adversary A: Phase 1:

A is given public key pk from key generation algorithm KG(n). A outputs two challenge messages m0, m1.

Phase 2:

A is given challenge ciphertext cb = Enc(pk, mb). A outputs an estimate b′ for bit b.

Indistinguishability (IND) Security For all Poly(n)-time A, Adv(A) def = | PrG1[b′ = 1] − PrG0[b′ = 1]| = n−ω(1) = neg(n).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 13/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Security of NTRU: Computational/Statistical Problems

Essentially two ways to break the IND security of NTRU: Crack the public key: NTRU Decision Key Cracking Problem DNKCn,q,φ,χσ Given (n, q, φ) and h, distinguish

NTRU key distribution D0 = {h = g/f ∈ Rq : f , g ← ֓ χσ}. Uniform key distribution D1 = {h ← ֓ U(R∗

q )}.

Crack the ciphertext for a uniform key: NTRU Decision Ciphertext Cracking Problem DNCCn,q,φ,χρ,χβ Given (n, q, φ), h sampled from U(R∗

q), and c, distinguish

NTRU ciphertext distribution D0 = {c = hs + e : s ← ֓ χρ, e ← ֓ χβ}. Uniform distribution D1 = {c ← ֓ U(Rq)}.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 14/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Security of NTRU: Computational/Statistical Problems

Essentially two ways to break the IND security of NTRU: Crack the public key: NTRU Decision Key Cracking Problem DNKCn,q,φ,χσ Given (n, q, φ) and h, distinguish

NTRU key distribution D0 = {h = g/f ∈ Rq : f , g ← ֓ χσ}. Uniform key distribution D1 = {h ← ֓ U(R∗

q )}.

Crack the ciphertext for a uniform key: NTRU Decision Ciphertext Cracking Problem DNCCn,q,φ,χρ,χβ Given (n, q, φ), h sampled from U(R∗

q), and c, distinguish

NTRU ciphertext distribution D0 = {c = hs + e : s ← ֓ χρ, e ← ֓ χβ}. Uniform distribution D1 = {c ← ֓ U(Rq)}.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 14/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

IND Security of NTRU: Sufficient Condition

Proposition (Adapted from [StSt11]) If DNKC and DNCC are both hard, then NTRUcryptosystem achieves semantic (IND) security. Proof by contradiction – three ‘games’ with adversary A: INDb – pk: h = g/f , ciph: cb = p · (hs + e) + mb, pb = PrINDb[A(h, cb) = 1]. IND’b – pk: h ← ֓ U(R∗

q), ciph: cb = p · (hs + e) + mb,

p′

b = PrIND’b[A(h, cb) = 1].

|p′

b − pb| = non-neg(n) → A breaks DNKC.

IND”b – pk: h ← ֓ U(R∗

q), ciph: cb = p · U(Rq) + mb,

p′′ = PrIND”b[A(h, cb) = 1].

|p′′

b − p′ b| = non-neg(n) → A breaks DNCC.

Else, A can distinguish IND”0 from IND”1: contradiction – p · U(Rq) term perfectly hides mb!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 15/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

How to make both DNKCand DNCCproblems hard?

StSt11 strategy to prove hardness of DNKC and DNCC problems: Choose χσ for f , g to make DNKC statistically hard.

f , g ← ֓ χσ → h = g/f almost uniformly distributed on R∗

q .

Must work in statistical region: |Supp(χσ)| > |R∗

q | → σ > √q.

Use a (modified) discrete Gaussian distribution χσ. Proof ingredients: Fourier analysis, duality of lattices, algebraic structure of Rq.

Choose χρ = χβ for s, e to make DNCC computationally hard.

Change rings: R−

q = Zq[x]/(xn − 1) → R+ q = Zq[x]/(xn + 1),

n = 2k. h ← ֓ U(R∗

q ), s, e ←

֓ χβ → (h, c = hs + e) computationaly

• indist. from U(R∗

q × Rq), if ≈ q/β-Ideal-SVP is hard.

Must work in computational region: |Supp(χβ)| < |Rq| → β < √q. Use a rounded Gaussian distribution χβ.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 16/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

The modified scheme

Parameters: n, q a power of 2, R = R−. Key generation: sk: f , g ∈ R with:

f invertible mod q and p. Coeffs of f and g in {−1, 0, 1}

pk: h = g/f mod q. Encryption of M ∈ R with coeffs in {0, 1}: C := phs + M mod q, with coeffs of s in {−1, 0, 1}. Decryption of C ∈ Rq: f × C mod q = pgs + fM (over R) (f × C mod q) mod p = fM mod p. Multiply by the inverse of f mod p.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 17/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

The modified scheme

Parameters: n a power of 2, q prime, R = R+. Key generation: sk: f , g ∈ R with:

f invertible mod q and p. Coeffs of f and g of magnitude ≈ √q

pk: h = g/f mod q. Encryption of M ∈ R with coeffs in {0, 1}: C := p(hs + e) + M mod q, with coeffs of s, e of magnitude ≈ β. Decryption of C ∈ Rq: f × C mod q = p(gs + fe) + fM (over R) (f × C mod q) mod p = fM mod p. Multiply by the inverse of f mod p.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 17/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

The distribution χσ = D×

σ of f and g

1 Sample f from the discrete Gaussian DZn,σ (using

[GePeVa’08]):

∀x ∈ Zn : DZn,σ[x] ∼ exp

• −πx2

σ2

• .

2 If f is not invertible in Rq, restart.

Discrete Gaussian with odd support. If f ← ֓ D×

σ , then f ≤ σ√n,

with overwhelming prob. Here, we need σ ≥ √q. We also want f invertible mod p: handled by tweaking D×

σ .

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 18/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Making h = g/f statistically close to uniform

Main technical contribution of StSt11 If σ ≥ n · q

1 2 +ε with ε > 0, then:

∆ D×

σ

D×

σ

mod q , U(R×

q )

• ≤ q−Ω(ε·n),

where ∆(D1, D2) = 1

2

• t |D1(t) − D2(t)| is the stat. distance.

We don’t get uniformity in Rq but only in R×

q .

Proof based on smoothing phenomenon of Gaussians modulo lattices (MR04).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 19/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Making h = g/f statistically close to uniform

Main technical contribution of StSt11 If σ ≥ n · q

1 2 +ε with ε > 0, then:

∆ D×

σ

D×

σ

mod q , U(R×

q )

• ≤ q−Ω(ε·n),

where ∆(D1, D2) = 1

2

• t |D1(t) − D2(t)| is the stat. distance.

We don’t get uniformity in Rq but only in R×

q .

Proof based on smoothing phenomenon of Gaussians modulo lattices (MR04).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 19/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Making h = g/f statistically close to uniform

Main technical contribution of StSt11 If σ ≥ n · q

1 2 +ε with ε > 0, then:

∆ D×

σ

D×

σ

mod q , U(R×

q )

• ≤ q−Ω(ε·n),

where ∆(D1, D2) = 1

2

• t |D1(t) − D2(t)| is the stat. distance.

We don’t get uniformity in Rq but only in R×

q .

Proof based on smoothing phenomenon of Gaussians modulo lattices (MR04).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 19/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Gaussians Modulo Lattices: Smoothing Phenomenon

Take a continuous Gaussian density function νσ(x) on Rn, width parameter σ: νσ(x) = σ−n · ρσ(x), ρ(x) def = e−πx2/σ2, and reduce it modulo a lattice L ⊆ Rn: ν′

σ(x) def

= (νσ mod L)(x) =

• v∈L

νσ(x + v). Two regions for ν′

σ depending on σ:

Wavy region: σ small Smooth region: σ large As σ increases, ν′

σ approaches uniformity

– Micciancio-Regev (2004) studied this smoothing phenomenon.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 20/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Quantifying Smoothing Phenomenon: Fourier Analysis

ν′

σ naturally extends to an L-periodic function on Rn:

ν′

σ(x) def

=

• v∈L

νσ(x + v) → ν′

σ(x + t) = ν′ σ(x) ∀ t ∈ L.

L-Periodic functions have a Fourier series decomposition: ν′

σ(x) = det ˆ

L ·

• w∈ˆ

L

cσ,we2πix,w, ˆ L is the dual lattice: {w ∈ Rn : ∀v ∈ L, w, v ∈ Z}. w’th Fourier component ψw(x) = e2πix,w

w = 0 – uniform component, w ∈ ˆ L \ {0} – non-uniform wavy component, wave period = 1/w in direction of w

w’th Fourier coefficient cσ,w is Fourier transform of νσ evaluated at w: cσ,w =

• Rn νσ(x)e2πix,wdx = ρ1/σ(w).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 21/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Quantifying Smoothing Phenomenon: Fourier Analysis

ν′

σ(x) = det ˆ

L ·

• w∈ˆ

L

ρ1/σ(w)e2πix,w,

• Stat. dist. ∆ def

=

• P(L) |ν′

σ(x) − det L−1|dx of ν′ σ to uniform:

∆ ≤ Sσ(L) def =

• w∈ˆ

L\0

ρ1/σ(w). ε-Smoothing Parameter ηε(L) of lattice L ηε(L) def = Smallest σ such that Sσ(L) ≤ ε. Smooth region: 1/σ < λ1(ˆ L) – terms in Sσ(L) in ‘tail’ of ρ1/σ. Theorem [MR04] Fix ε > 0. We have: ηε(L) ≤

• n ln(2n(1 + 1/ε)) · λ(ˆ

L)−1. [GPV08]: Extends to discrete Gaussians: νσ → DZn,σ for L ⊆ Zn.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 22/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Proving uniformity of h = g/f (1)

Outline of proof Goal: ∆ = 1

2

• h∈R∗

q | Prf ,g[g/f = h] − |R∗

q|−1| ≤ ε.

Sufficient term-wise condition: | Prf ,g[g/f = h] − |R∗

q|−1| < |R∗ q|−1 · ε.

Since g/f = h equivalent to fh − g = 0, suffices to show | Pr

f ,g[fh − g = 0] − |R∗ q|−1| < |R∗ q|−1 · ε.

Observation: Prf ,g[fh − g = 0] is prob. that (f , g) falls in NTRU lattice Lh

def

= {(f , g) ∈ R2 : fh − g = 0 mod q}. → suffices to show distrib. χσ = (D∗

Zn,σ)2 of (f , g) reduced

modulo lattice Lh is close to uniform on Z2n/Lh. → Can almost directly apply smoothing!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 23/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Proving uniformity of h = g/f (2)

Q: How to deal with non-lattice support of χσ = (D∗

Zn,σ)2?

A: Decompose it in terms of lattices: Z2n ∩ (R∗

q)2 = Z2n \ S⊆{1,...,n} IS

IS denotes the ideal of Rq generated by

i∈S φi(x)

φ1, . . . , φn denote the irreducible factors of φ = xn + 1 mod q

L∗

h ∩ (R∗ q)2 = Lh \ S⊆{1,...,n} Lh(IS)

Lh(IS)

def

= Lh ∩ (IS × IS).

Apply inclusion-exclusion to reduce termwise to lattice smoothing: Pr

f ,g[(f , g) ∈ Lh] =

• S⊆{1,...,n}(−1)|S| · DZ2n,σ(Lh(IS))
• S⊆{1,...,n}(−1)|S| · DZn,σ(IS)

2 .

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 24/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Proving uniformity of h = g/f (3)

Apply smoothing-parameter method – need lower bound on minimum of dual λ( Lh(IS)). Dual of Lh(IS) has a simple algebraic description! Counting argument based on algebraic structure of Rq → probabilistic bound on minimum. Smoothing paramter of gen. NTRU lattices Lh(IS) [StSt11] Fix ε, ε′ > 0. Let n ≥ 8 be a power of 2 such that φ = xn + 1 splits into n linear factors modulo a prime q ≥ 5 and let S ⊆ [n] with |S| ≤ ε′n. Then for all except a fraction ≤ 28nq−2εn

• f h ∈ (R∗

q), we have

ηε(Lh(IS)) ≤

• n ln(4n(1 + 1/ε))/π · q

1 2 +ε′/2+ε Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 25/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Hardness of DNCC: The R-LWE Problem

The error distribution νβ:

n-dimensional Gaussian of standard deviation β ≪ q, rounded to Zn, looked at as an element of R+. ⇒ Small element of R+.

The R-LWE distribution Dβ:

Sample a ← ֓ U(R+

q ), s ←

֓ νβ, e ← ֓ νβ, Return (a, as + e) ∈ R+

q × R+ q .

R-LWE

(simplified)

Distinguish between Dβ and U(R+

q × R+ q ).

→ If χβ = χρ = νβ, DNCC coincides with R-LWE!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 26/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Hardness of DNCC: The R-LWE Problem

The error distribution νβ:

n-dimensional Gaussian of standard deviation β ≪ q, rounded to Zn, looked at as an element of R+. ⇒ Small element of R+.

The R-LWE distribution Dβ:

Sample a ← ֓ U(R+

q ), s ←

֓ νβ, e ← ֓ νβ, Return (a, as + e) ∈ R+

q × R+ q .

R-LWE

(simplified)

Distinguish between Dβ and U(R+

q × R+ q ).

→ If χβ = χρ = νβ, DNCC coincides with R-LWE!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 26/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Hardness of DNCC: The R-LWE Problem

The error distribution νβ:

n-dimensional Gaussian of standard deviation β ≪ q, rounded to Zn, looked at as an element of R+. ⇒ Small element of R+.

The R-LWE distribution Dβ:

Sample a ← ֓ U(R+

q ), s ←

֓ νβ, e ← ֓ νβ, Return (a, as + e) ∈ R+

q × R+ q .

R-LWE

(simplified)

Distinguish between Dβ and U(R+

q × R+ q ).

→ If χβ = χρ = νβ, DNCC coincides with R-LWE!

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 26/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Computational hardness of R-LWE

Hardness of R-LWE [LyPeRe’10] Poly(n)-Ideal-SVP reduces to R-LWE in quantum polynomial-time. Security under R-LWE implies security under Ideal-SVP. Poly(n)-Ideal-SVP is conjectured hard, even using quantum computations.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 27/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Computational hardness of R-LWE

Hardness of R-LWE [LyPeRe’10] Poly(n)-Ideal-SVP reduces to R-LWE in quantum polynomial-time. Security under R-LWE implies security under Ideal-SVP. Poly(n)-Ideal-SVP is conjectured hard, even using quantum computations.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 27/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption

Homomorphic encryption with respect to function f – Given: Ciphertexts for messages m1, . . . , mt (encrypted under pkA):

c1 = EncpkA(m1), . . . , ct = EncpkA(mt)

a function f (m1, . . . , mt), and Alice’s public key pkA, Bob can compute: c = EncpkA(m) for m = f (m1, . . . , mt). Primary Application: Private ‘cloud computing’: Setup: Alice generates (skA, pkA), keeps skA private, stores ci = EncpkA(mi) on cloud server (Bob). Query: Alice issues to Bob search query f : f (m1, . . . , mt) = {mi : Title(mi) = ‘Bank Statement’}. Response: Bob uses f and c1, . . . , ct to compute c = EncpkA(f (m1, . . . , mt)), and returns c to Alice. Decryption: Alice uses skA to decrypts c and obtain m = f (m1, . . . , mt).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 28/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption

Homomorphic encryption with respect to function f – Given: Ciphertexts for messages m1, . . . , mt (encrypted under pkA):

c1 = EncpkA(m1), . . . , ct = EncpkA(mt)

a function f (m1, . . . , mt), and Alice’s public key pkA, Bob can compute: c = EncpkA(m) for m = f (m1, . . . , mt). Primary Application: Private ‘cloud computing’: Setup: Alice generates (skA, pkA), keeps skA private, stores ci = EncpkA(mi) on cloud server (Bob). Query: Alice issues to Bob search query f : f (m1, . . . , mt) = {mi : Title(mi) = ‘Bank Statement’}. Response: Bob uses f and c1, . . . , ct to compute c = EncpkA(f (m1, . . . , mt)), and returns c to Alice. Decryption: Alice uses skA to decrypts c and obtain m = f (m1, . . . , mt).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 28/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: Realization

History: Concept proposed in the 1970s [RAD78] 1970s – 2009: Very limited classes of functions f allowed. 2009: First plausible scheme supporting arbitrary functions f (Fully Homomorphic Encryption - FHE)

Based on hardness of approx-Ideal-SVP variants Inefficient – Huge parameters

2010-2013: Significant improvements: Most efficient schemes based on R-LWE (BV11,BGV12,B12,LTV12,GHS13) One of the more efficient schemes (LTV12): NTRU variant Ciphertext same as standard NTRU encryption Hardness Assumptions:

DNKC problem in the computational region: σ < q1/2. ‘circular’ variant of R-LWE problem = DNCC problem.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 29/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Observation: NTRU has natural ‘semi homomorphic’ properties Given ciphertexts ci = h · si + pei + mi ∈ Rq, i ∈ {1, 2}: Addition (ciphertexts over Rq, messages over Rp):

c = c1 + c2 = h · (s1 + s2) + p(e1 + e2) + (m1 + m2). c decrypts with sk = f to message m = m1 + m2 ∈ Rp ‘Semi-homomorphic’ catch: Need p(gs + fe) + m∞ < q/2), with s = s1 + s2, e = e1 + e2.

Multiplication (ciphertexts over Rq, messages over Rp):

c = c1 · c2 = h2s1s2 + h(s1e′

2 + s2e′ 1) + p(e1e2 + e1m2 + e2m1) + m1m2.

c decrypts with sk = f 2 to message m = m1 · m2 ∈ Rp. ‘Semi-homomorphic’ catch: Need (pg)2s1s2 + (pfg)(s1e′

2 +

s2e′

1) + f 2(p(e1e2 + e1m2 + e2m1) + m1m2)∞ < q/2.

Multiplication is the bottleneck: Even 1 mult requires (σ · βPoly(n))2 ≤ q/2.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 30/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Observation: NTRU has natural ‘semi homomorphic’ properties Given ciphertexts ci = h · si + pei + mi ∈ Rq, i ∈ {1, 2}: Addition (ciphertexts over Rq, messages over Rp):

c = c1 + c2 = h · (s1 + s2) + p(e1 + e2) + (m1 + m2). c decrypts with sk = f to message m = m1 + m2 ∈ Rp ‘Semi-homomorphic’ catch: Need p(gs + fe) + m∞ < q/2), with s = s1 + s2, e = e1 + e2.

Multiplication (ciphertexts over Rq, messages over Rp):

c = c1 · c2 = h2s1s2 + h(s1e′

2 + s2e′ 1) + p(e1e2 + e1m2 + e2m1) + m1m2.

c decrypts with sk = f 2 to message m = m1 · m2 ∈ Rp. ‘Semi-homomorphic’ catch: Need (pg)2s1s2 + (pfg)(s1e′

2 +

s2e′

1) + f 2(p(e1e2 + e1m2 + e2m1) + m1m2)∞ < q/2.

Multiplication is the bottleneck: Even 1 mult requires (σ · βPoly(n))2 ≤ q/2.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 30/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Observation: NTRU has natural ‘semi homomorphic’ properties Given ciphertexts ci = h · si + pei + mi ∈ Rq, i ∈ {1, 2}: Addition (ciphertexts over Rq, messages over Rp):

c = c1 + c2 = h · (s1 + s2) + p(e1 + e2) + (m1 + m2). c decrypts with sk = f to message m = m1 + m2 ∈ Rp ‘Semi-homomorphic’ catch: Need p(gs + fe) + m∞ < q/2), with s = s1 + s2, e = e1 + e2.

Multiplication (ciphertexts over Rq, messages over Rp):

c = c1 · c2 = h2s1s2 + h(s1e′

2 + s2e′ 1) + p(e1e2 + e1m2 + e2m1) + m1m2.

c decrypts with sk = f 2 to message m = m1 · m2 ∈ Rp. ‘Semi-homomorphic’ catch: Need (pg)2s1s2 + (pfg)(s1e′

2 +

s2e′

1) + f 2(p(e1e2 + e1m2 + e2m1) + m1m2)∞ < q/2.

Multiplication is the bottleneck: Even 1 mult requires (σ · βPoly(n))2 ≤ q/2.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 30/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

For depth d homomorphic multiplications, ‘doubly exponential norm blowup’ difficulty: Need to decrypt with sk = f 2d – need (σβPoly(n))2d < q/2. For hardness of DNKC, allows d only up to O(log n)! Improvement to support larger d (based on BV11): Relinearization Apply relinearization procedure to c = c1 · c2 after each homomorphic multiplication Produce ˆ c encrypting same message m1 · m2 ∈ Rp as c, but decryptable with the f , not f 2 → avoid the exponential degree blowup for sk.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 31/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

For depth d homomorphic multiplications, ‘doubly exponential norm blowup’ difficulty: Need to decrypt with sk = f 2d – need (σβPoly(n))2d < q/2. For hardness of DNKC, allows d only up to O(log n)! Improvement to support larger d (based on BV11): Relinearization Apply relinearization procedure to c = c1 · c2 after each homomorphic multiplication Produce ˆ c encrypting same message m1 · m2 ∈ Rp as c, but decryptable with the f , not f 2 → avoid the exponential degree blowup for sk.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 31/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Idea of Relinearization: Modify key generation – Alice publishes ≈ log q additional ring elements ζτ : ‘pseudo-encryptions’ of f 2: ζτ = h · sτ + peτ + 2τf 2 ∈ Rq for τ = 0, . . . , ⌊log q⌋, Relinearization procedure – split c into its binary reprsentation

• τ cτ2τ and compute

ˆ c =

• τ

cτ ·ζτ = h ·(

• τ

cτsτ)+p ·(

• τ

cτeτ)+f 2 ·(

• τ

cτ2τ). Second Improvement (based on BV11): Modulus Reduction. Scales down the ciphertext ˆ c from Rq to Rq′ with q′ < q Noise in ˆ c′ also scaled down by the ratio q′/q. Overall: Can support f of mult. depth d = O(nε). With ‘bootstrapping’ technique [G09], arbitrary f (FHE).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 32/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Idea of Relinearization: Modify key generation – Alice publishes ≈ log q additional ring elements ζτ : ‘pseudo-encryptions’ of f 2: ζτ = h · sτ + peτ + 2τf 2 ∈ Rq for τ = 0, . . . , ⌊log q⌋, Relinearization procedure – split c into its binary reprsentation

• τ cτ2τ and compute

ˆ c =

• τ

cτ ·ζτ = h ·(

• τ

cτsτ)+p ·(

• τ

cτeτ)+f 2 ·(

• τ

cτ2τ). Second Improvement (based on BV11): Modulus Reduction. Scales down the ciphertext ˆ c from Rq to Rq′ with q′ < q Noise in ˆ c′ also scaled down by the ratio q′/q. Overall: Can support f of mult. depth d = O(nε). With ‘bootstrapping’ technique [G09], arbitrary f (FHE).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 32/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Idea of Relinearization: Modify key generation – Alice publishes ≈ log q additional ring elements ζτ : ‘pseudo-encryptions’ of f 2: ζτ = h · sτ + peτ + 2τf 2 ∈ Rq for τ = 0, . . . , ⌊log q⌋, Relinearization procedure – split c into its binary reprsentation

• τ cτ2τ and compute

ˆ c =

• τ

cτ ·ζτ = h ·(

• τ

cτsτ)+p ·(

• τ

cτeτ)+f 2 ·(

• τ

cτ2τ). Second Improvement (based on BV11): Modulus Reduction. Scales down the ciphertext ˆ c from Rq to Rq′ with q′ < q Noise in ˆ c′ also scaled down by the ratio q′/q. Overall: Can support f of mult. depth d = O(nε). With ‘bootstrapping’ technique [G09], arbitrary f (FHE).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 32/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Homomorphic Encryption: NTRU Variant (LTV12)

Relinearization → security now relies on new variant of DNKC: NTRU Decision Circular Key Cracking Problem DNCKCn,q,φ,χσ,χβ,ℓ Given (n, q, φ) and (h, {ζτ}τ), distinguish NTRU circular key distribution D0 = {(h = g/f ∈ Rq, ζτ = h · sτ + peτ + 2τf 2 ∈ Rq : f , g ← ֓ χσ, sτ, eτ ← ֓ χβ}. Uniform key distribution D1 = U(R∗

q) × U(Rℓ q).

Q: Hardness??

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 33/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Cryptographic Multilinear Maps

Example Motivation: Non-interactive Key exchange Classical Diffie-Hellman Non-Interactive 2-party Key Exchange (1976) Publish a cyclic group G (generator g, order q) where Discrete Log (DL) problem is hard. Alice chooses random x1 ∈ Zq, publishes y1 = gx1. Bob chooses random x2 ∈ Zq, publishes y2 = gx2. Both Alice and Bob compute agreed secret key K = gx1x2 = yx2

1 = yx1 2 .

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 34/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Cryptographic Multilinear Maps

Q: How to generalize Diffie-Hellman to N > 2 parties? A[J00,BS02]: Use a group where DL is hard and there is an efficient (N − 1)-linear map e : G1 × · · · × GN−1 → GT: e(gx1, gx2, . . . , gxN−1) = e(g, g)x1···xN−1∀x1, . . . , xN−1 ∈ Zq. N-party Non-Interactive Key Exchange Publish a cyclic group G (generator g, order q) where Discrete Log (DL) problem is hard, with an efficient (N − 1)-linear map e. For i ∈ {1, . . . , N}, party Pi chooses random xi ∈ Zq, publishes yi = gxi. All parties can compute agreed secret key K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN)x1.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 35/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Cryptographic Multilinear Maps

Q: How to generalize Diffie-Hellman to N > 2 parties? A[J00,BS02]: Use a group where DL is hard and there is an efficient (N − 1)-linear map e : G1 × · · · × GN−1 → GT: e(gx1, gx2, . . . , gxN−1) = e(g, g)x1···xN−1∀x1, . . . , xN−1 ∈ Zq. N-party Non-Interactive Key Exchange Publish a cyclic group G (generator g, order q) where Discrete Log (DL) problem is hard, with an efficient (N − 1)-linear map e. For i ∈ {1, . . . , N}, party Pi chooses random xi ∈ Zq, publishes yi = gxi. All parties can compute agreed secret key K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN)x1.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 35/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Cryptographic Multilinear Maps

Q: How to generalize Diffie-Hellman to N > 2 parties? A[J00,BS02]: Use a group where DL is hard and there is an efficient (N − 1)-linear map e : G1 × · · · × GN−1 → GT: e(gx1, gx2, . . . , gxN−1) = e(g, g)x1···xN−1∀x1, . . . , xN−1 ∈ Zq. N-party Non-Interactive Key Exchange Publish a cyclic group G (generator g, order q) where Discrete Log (DL) problem is hard, with an efficient (N − 1)-linear map e. For i ∈ {1, . . . , N}, party Pi chooses random xi ∈ Zq, publishes yi = gxi. All parties can compute agreed secret key K = e(g, . . . , g)x1···xN = e(y2, y3, . . . , yN)x1.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 35/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

k-linear Maps: History

2000: Bilinear (k = 2) via Weil pairings on algebraic curves, applications:

2000: 3-party non-interactive key agreement [J00] 2000-2001: Identity-Based Encryption (IBE) [SK00,BF01] 2001: Short signatures [BS01] 2000-2013: lots of others

2002: Applications for k-linear maps [BS02]

(k + 1)-party non-interactive key agreement Efficient Broadcast Encryption and others...

2012: First plausible realization for k > 2, via ideal lattices [GGH12], applications:

2012-2013: Functional Encryption for arbitrary functions 2013: Program obfuscation notions for arbitrary functions and others...

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 36/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

k-linear Maps: GGH Realization

[GGH12] realization: not quite a k-linear map, but essentially the same Technically, a k-graded encoding scheme: Replace groups Zq, G by

Rings Rp, Rq.

Replace x → gx by

x → Enc1(x; ρ) – randomized ‘level 1 encoding’ of x.

Replace e(gx1, . . . , gxk) = e(g, . . . , g)x1···xk by

Homomorphic up to ‘level k’: Enc1(x1; ρ1) · · · Enc1(xk; ρk) = Enck(x1 · · · xk; ρ) for some ρ. Randomness-independent extraction at level k – Ext : Rq → {0, 1}ℓ: Ext(Enck(x; ρ)) = r(x) ∈ {0, 1}n is independent of randomness ρ, and uniformly random for x ← ֓ U(Rp).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 37/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

GGH k-graded encoded scheme (LSS13 simplified - GGHLite)

Public Params: Choose a secret ‘small’ p ∈ R. Publish (h1, h2, ek), with: h1 = pg1/f , h2 = pg2/f ∈ Rq, with ‘small’ f , g1, g2 ← ֓ χσ with σ < q1/k. ek = uf k/p ∈ Rq, for u of norm u = Poly(n) · q1/2. Level 1 Encoding of m ∈ Rp: c = Enc1(m) = h1s1 + h2s2 + m ∈ Rq, with si ‘small’. Note: Enc1(m) = pg′/f + m for a small g′ By homomorphic property, Enc1(m1) · · · Enc1(mk) = pg′/f k + m = Enc1(m), with m = m1 · · · mk mod p. Level k Representative Extraction: Ext(ek, c) = MSBℓ(ek · c). Note: c = Enc1(m; ρ) = pg′/f k + m → Ext(ek, c) = MSBℓ(ug′ + uf k/p · m) = MSBℓ(uf k/p · m) since ug′ small.

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 38/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

GGH k-graded encoded scheme (LSS13 simplified - GGHLite)

Scheme security depends on hardness of a new variant

• f DNKC problem:

k-graded NTRU Discrete-Log Problem DNDLn,q,φ,χσ,χβ,ℓ Given (n, q, h1 = pg1/f , h2 = pg2/f , ek = uf k/p) c = h1s1 + h2s2 + m ∈ Rq, find m′ with m′ ‘small’ (less than q) such that m′ = m mod p. Note: Without knowing ek, similar to standard DNCC problem. With ek, may be easier (e.g. checking c is encoding of m is easy!).

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 39/40

Introduction NTRU Cryptosystem: Review NTRU Security: Recent Developments NTRU Applications: Recent Developments

Conclusions

Intersting recent developments in both security analysis and applications of NTRU. Important open problems: Hardness of NTRU key cracking problem in the computational region σ < q1/2 (applications: efficient parameters, FHE, multilinear maps)

Starting point: statistical properties of h = g/f ∈ Rq in this region?

Hardness of circular NTRU ciphertext cracking problem (application: FHE) Hardness of k-graded NTRU discrete-log problem (application: multilinear maps)

Ron Steinfeld NTRU Cryptosystem: Recent Developments Dec 2013 40/40