Recovering NTRU Secret Key From Inversion Oracles Petros Mol - - PowerPoint PPT Presentation

1

Recovering NTRU Secret Key From Inversion Oracles

Petros Mol Petros Mol (University of California, San Diego)

(University of California, San Diego)

and and Moti Yung Moti Yung (Google Inc. /Columbia)

(Google Inc. /Columbia) PKC 2008

2

Presentation Outline

 Overview of NTRUEncrypt  Modeling Inverting Algorithms with

Inversion Oracles

 Reducing Key Recovery to the Inversion

• f the NTRU Function

 Conclusions

3

Motivation

This work: Can we recover the NTRU secret key if we are able to invert the NTRU Function ?

• Rabin Cryptosystem: Finding square roots modulo a

composite N Recovering sk=(p,q) (Factoring N)

⇒

• RSA: Can we factor N if we can invert f(x)=xe (mod N)??

(The answer is believed to be negative)

Scenarios

Perfect Inversion Oracles i) Full output of the preimage ii) YES/NO output (Decisional Version)

4

The NTRUEncrypt Scheme

Notation

P=Zq[X]/X

N−1 :ring of truncated polynomials

• B, B(d): binary polynomials (resp. with Hamming weight d)

f x∗gx=hx

where

h k=

∑

ij≡k mod N

f i⋅g j

Ring Multiplication

The operator * is both commutative and associative

Inverse of a polynomial p

P∗p≡1modq

5

• Choose uniformly at random polynomials
• Compute . If either or does

not exist or g is not invertible mod q, return to step 1.

• Compute
• Public Key: h, Private Key (f,fp)

f ∈Lf ,g∈Lg

f q≡f−1mod q,f p≡f−1mod p f p

f q

h≡f q∗p∗g mod q

 N: All the polynomials have degree up to N-1 (N should be

prime and sufficiently large to resist lattice attacks)

Parameter Set

 q, p: the large and the small modulus respectively.  Lf, Lg: Private Key Spaces (polynomials with small coefficients)  Lr Lm: Blinding value and plaintext space respectively  center: A centering algorithm

Key Generation

6

Encryption

1) Select uniformly at random a blinding value

2) Apply the NTRU function to the message polynomial

e=Em ,r=h∗rm mod q

r∈Lr

Decryption

• Compute
• Using a and a centering algorithm compute a polynomial A s.t

A=p*r*g + f*m over the integers.

• Compute m (mod p)= fp*A (mod p)
• Recover m in Lm from m (mod p)

a≡f∗e mod q

a≡f∗h∗rf∗m≡p∗g∗rf∗m mod q

m∈Lm

7

Instantiations of NTRU

Var q p Lf Lg Lm Lr F Dec.Fail 1998

2

k∈ [ N

2 , N]

3

Tdf ,df−1 Tdg,dg T Tdr ,dr

• YES

2001

2

k∈ [ N

2 , N]

2+x 1p∗F Bdg

B

Bd r Bd F YES 2005 Prime 2 1p∗F Bdg B Bd r Bd F NO 2007

2

k

3 1p∗F

Td,e Td,e Td,e Td,e

YES Var q p Lf Lg Lm Lr F Dec.Fail 1998

2

k∈ [ N

2 , N]

3

Tdf ,d f−1 Tdg,dg T Tdr ,dr

• YES

2001

2

k∈ [ N

2 , N]

2+x 1p∗F Bdg

B

Bd r Bd F YES 2005 Prime 2 1p∗F Bdg B Bd r Bd F NO 2007

2

k

3 1p∗F

Td,e Td,e Td,e Td,e

YES

dg ,dr, dF

Hamming weights of polynomials g, r, F resp. all are known public parameters

8

?

e m e

f p

f

m

Previous work: CCA framework This work: Black Box

Attack #Queries

• Dec. Failures

Ciphertexts reply Applicability Shape of f Jaulmes,Joux small

• invalid

full output unpadded NTRU-1998 Hong et al. very small

• invalid

full output unpadded 1+p*F Hoffstein, Silv. large required invalid YES/NO unpadded any shape Howgrave et al. large required valid YES/NO padded any shape Gama, Nguyen small (?) required valid full output padded any shape

• #Queries:

Depends

• Dec. Failures: not required
• reply: Both full and YES/NO
• Applicability: unpadded
• Shape of f:

1+p*F

9

Valid Challenges

Eq ,h

d r ={e∈ℤq N∣ ∃r∈B dr, m∈B:e≡h∗rm mod q }

Perfect Inversion Oracles i) Full output Oracle

e∈Zq

N

r ,m∈ Bdr , B

e≡h∗rmmodq

e∉Eq,h

dr

e∈Eq,h

dr

ii) Decision Oracle

• rc1

All pair(s) s.t

?

N q

Z e∈

r

d h q

E e

,

∉

r

d h q

E e

,

∈

• rc1DEC

YES

?

10

NTRU Universal Breaking (UBNTRU)

UBNTRU is (p, orc, Q)-solvable if there exists an algorithm, polynomial in Q, which fully recovers f with probability at least p by querying oracle orc at most Q times.

Rewriting the Key Generation Equation

f ∗h≡p∗gmodq⇒1p∗F ∗h≡p∗gmodq⇒pq∗1p∗F ∗h≡gmodq ⇒pq∗hh∗F≡gmodq ⇒u−pq∗h≡h∗Fu−gmodq

where and both F, =u-g are binary.

1

... 1

−

+ + + =

N

X X u

(known from the public information)

t≡u−pq∗h mod q 

similar to inversion instance

t≡h∗F g mod q

 g

11

1) Universal Breaking With Orc1

Case 1: dF=dr.

Then by definition and thus upon querying orc1 on t, we expect to recover (and thus f, g)

F r

d h q d h q

E E t

, , =

∈

g F,

Case 2: dF=dr+ d.

Let for indices . Then

Fi 1=F i2=...=F id=1

i1,i2,...,id t−h∗ X

i1X

i2... X id≡h∗ F−X i1−X i2−...−X id

g mod q Thus and we can recover F,g by querying orc1 on

F−X

i1−X i2−...−X id ∈ Bdr

) ... ( *

2 1 d

i i i

X X X h t + + + −

r d

d h q i i i

E X X X h t

,

) ... ( *

2 1

∈ + + + −

Case 3: This case is symmetrical to case 2 and can be analyzed similarly.

d F=dr−d , N−dF=dr±d

12

Working Out the Details…

The complexity of the key recovery algorithm depends on: a) The pairs orc1 returns upon being queried on valid challenges. b) The total number of queries until a valid challenge is found.

a) Bounding orc1’s output [NTRU Collision Pair]: It is a pair ((r1,m1),(r2,m2)) with

such that

r1,m1≠r2,m2 but Er1,m1=Er2,m2

) ), ( ( ) , ( B d B m r

r i i

∈

[Set of Preimages]: Let be a valid challenge

e∈ℤq

N

preimge={xi=ri, mi∣ ri∈Bd r, mi∈B, h∗rimi≡e mod q}

13

Corollary: In NTRU-2005, collisions are impossible.

Implication: Collisions Decryption Failures

Proposition: On input the standard NTRU decryption

algorithm fails to decrypt with prob. at least 1-1/|preimg(e)| e∈ Eq ,h

d r

The Preimage Assumption: For each , |preimg(e)| is

“small” (polynomially bounded) e∈ Eq ,h

d r

Output of orc1 on input e: Polynomially bounded

14

b) Bounding the number of queries addressed to orc1

        + − ≤ d d M N d M N ) , , ( µ

• N coefficients, M=dF 1s, d=dF-dr coef. picked at each guess.
• μ(N,M,d): number of guesses for finding d “correct” indices

1st Reduction: UBNTRU is (1,orc1,μ(N, dF, dF-dr)) –solvable. In

particular, if d=dF-dr is a small constant (compared to N), then UBNTRU can be solved within a polynomial number of queries to orc1.

Probabilistic analysis UBNTRU is –solvable.

                    − − ⋅         −

        −

r F F

d d d r F

d d N

• rc

ε ε 1 1 , 1 ,

15

(i)

(ii) (we have assumed no collisions) (iii) We can efficiently find a configuration and an index such that .

2) Universal Breaking With Orc1DEC

Theorem: Ignoring collisions (of trinary polynomials), UBNTRU is

        − − + +         − − 1 , 1 , 1

F r r F r DEC

d d N d d d N

• rc
• solvable

Proof Sketch: At j-th step we pick and query Orc1DEC on . is s.t. and s.t. differ at exactly one index which can be efficiently found. Let lead to a “YES” reply from Orc1DEC. Then by construction

) ( ) ( , k j I

I ) ,..., , (

) ( ) ( 2 ) ( 1 ) ( j d j j j

i i i I =

) ... ( *

) ( ) ( 2 ) ( 1 j d j j

i i i

X X X h t + + + − I j

k j I I

k j

≠ ∀ ≠

) ( ) (

j k j I

j

< ∃ ≥ ∀ 2 ,

) (

) (m

I

        − − ≤

r F r

d d d N m

1 ...

) ( ) ( 2 ) ( 1

= = = =

m d m m

i i i

F F F

) (k

I

k j

i =

k j

i

F

16

2nd Reduction: If dF -dr is small compared to N, UBNTRU is

polynomially reduced to distinguishing valid from invalid challenges with success probability 1.

Getting the pieces together…

After at most queries we know d indices that equal 1 and one 0

• index. The rest N-d-1 indices can be found by
• r

        − −

r F r

d d d N

F i=1⇔ F− X

i1

m − X

i2

m−...− X

id

mX

i j

k−X i∈Bdr 

Fi=1⇔t−h∗ X

i1

m

... X

id

m−X

i j

k X

i∈Eq ,h dr

Extension: Proof works even in the presence of polynomially many

• collisions. Checking if a “YES” configuration leads to the correct

reconstruction of F adds an overhead of O(N) queries.

17

Efficiency of reductions and real NTRU parameters

a≡f∗e≡f∗h∗rf∗m≡p∗g∗rf∗m≡p∗g∗rF∗mm mod q

p∗g∗rF∗mm

Desired properties

a) Combinatorial security: “large” enough (close to N/2) b) Correct Decryption: should have small width c) f=1+p*F makes both encryption and decryption more efficient

dr,dF,dg

In practice... dF=dr (as suggested in “Implementation Aspects of NTRU” and

NSS and several technical reports)

Challenges proposed on the NTRU website

Security N q dF dg dr Medium 251 128 72 71 72 High 347 128 64 173 64 Highest 503 256 420 251 170

18

Conclusions

In the current parameter set (f=1+p*F) universally breaking NTRU is reducible to inverting NTRU instances. The efficiency of reduction highly depends on the parameters and is actually exponential to the difference Reduction does not work in the presence of padding Unlikely to lead to practical attacks. Still, algorithmically, key recovery is structurally equivalent to

• inversion. By the way keys are generated, the target t is no less

“random” than a random inverting instance e.

Future Directions

• Extend the range of behavior of the black-box oracles. Define

new non-perfect inversion oracles less artificial reductions.

• More efficient reductions (further exploiting NTRU structure)

dF,dr d=∣dF−dr∣

19

THANK YOU!