CA2263588C - Public key cryptosystem method and apparatus - Google Patents
Public key cryptosystem method and apparatus Download PDFInfo
- Publication number
- CA2263588C CA2263588C CA002263588A CA2263588A CA2263588C CA 2263588 C CA2263588 C CA 2263588C CA 002263588 A CA002263588 A CA 002263588A CA 2263588 A CA2263588 A CA 2263588A CA 2263588 C CA2263588 C CA 2263588C
- Authority
- CA
- Canada
- Prior art keywords
- phi
- message
- mod
- ideal
- polynomials
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/30—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
- H04L9/3093—Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving Lattices or polynomial equations, e.g. NTRU scheme
Abstract
This public-key cryptosystem endocing technique uses a mixing system based on polynomial algebra and recuction modulo two numbers while the decoding technique uses an unmixing system whose validity depends on elementary probability theory. A method for encoding and decoding a digital message comprises the steps: selecting ideals p and q of a ring R (305); generating elements f and g of the ring R (325), and generating an element F sub q which is an inverse of f (mod q), and generating F sub p which is an inverse of f (mod p) (340); producing a public key that includes h (350), where h is congruent, mod q, to a product that can be derived using g and F sub q; producing a private key from which f and F sub p can be derived; producing a n encoded message by encoding the message using the public key and a random element; and producing a decoded message by decoding the encoded message using the private key.
Description
PUBLIC KEY CRYPTOSYSTEM METHOD AND APPARATUS
FIELD OF THE INVENTION
This invention relates to encoding and decoding of information and, more particularly, to a public key cryptosystem for encryption and decryption of digital messages by processor systems.
BACKGROUND OF THE INVENTION
Secure exchange of data between two parties, for example, between two computers, requires encryption. There are two general methods of encryption in use today, private key encryption and public key encryption. In private key encryption, the two parties privately exchange the keys to be used for encoding and decoding. A widely used example of a private key cryptosystem is DES, the Data Encryption Standard.
Such systems can be very fast and very secure, but they suffer the disadvantage that the two parties must exchange their keys privately.
A public key cryptosystem is one in which each party can publish their encoding process without compromising the security of the decoding process. The encoding process is popularly called a trap-door function. Public key cryptosystems, although generally slower than private key cryptosystems, are used for transmitting small amounts of data, such as credit card numbers, and also to transmit a private key which is then used for private key encoding.
Heretofore a variety of trap-door functions have been proposed and implemented for public key cryptosystems.
One type of trap-door function which has been used to create public key cryptosystems involves exponentiation in a group; that is, taking an element of a group and repeatedly multiplying the element by itself using the group operation.
The group most often chosen is the multiplicative group modulo pq for large prime numbers p and q, although other groups such as elliptic curves, abelian varieties, and even non-commutative matrix groups, have been described. However, this type of trap-door function requires large prime numbers, on the order of 100 digits each, making key creation cumbersome;
SUBSTITUTE SHEET (RULE 26) and the exponentiation process used for encoding and decoding is computationally intensive, requiring many multiplications of hundred digit numbers and on the order of N3 operations to encode or decode a message consisting of N bits.
A second type of trap-door function which has been used to create public key cryptosystems is based on the difficulty of determining which numbers are squares in a group, usually the multiplicative group modulo pq for large primes p and q.
Just as in the first type, key creation is cumbersome and encoding and decoding are computationally intensive, requiring on the order of N3 operations to encode or decode a message consisting of N bits.
A third type of trap-door function involves the discrete logarithm problem in a group, generally the multiplicative group or an elliptic curve modulo a large prime p. Again, key creation is cumbersome, since the prime p needs at least 150 digits and p - 1 must have a large prime factor; and such systems use exponentiation, so again require on the order of N3 operations to encode or decode a message consisting of N bits.
A fourth type of trap-door function which has been used to create public key cryptosystems is based on the knapsack, or subset sum, problem. These functions use a semigroup, normally the semigroup of positive integers under addition.
Many public key cryptosystems of this type have been broken using lattice reduction techniques, so they are no longer considered secure systems.
A fifth type of trap-door function which has been used to SUBSTITUTE SHEET (RULE 26) create public key cryptosystems is based on error correcting codes, especially Goppa codes. These cryptosystems use linear algebra over a finite field, generally the field with two elements. There are linear algebra attacks on these cryptosystems, so the key for a secure cryptosystem is a large rectangular matrix, on the order of 400,000 bits. This is too large for most applications.
A sixth type of trap-door function which has been used to create public key cryptosystems is based on the difficulty of finding extremely short basis vectors in a lattice of large dimension N. The keys for such a system have length on the order of Nz bits, which is too large for many applications. In addition, these lattice reduction public key cryptosystems are very new, so their security has not yet been fully analyzed.
Most users, therefore, would find it desirable to have a public key cryptosystem which combines relatively short, easily created keys with relatively high speed encoding and decoding processes.
It is among the objects of the invention to provide a public key encryption system for which keys are relatively short and easily created and for which the encoding and decoding processes can be performed rapidly. It is also among the objects hereof to provide a public key encryption system which has relatively low memory requirements and which depends on a variety of parameters that permit substantial flexibility in balancing security level, key length, encoding and decoding speed, memory requirements, and bandwidth.
SUBSTITUTE SHEET (RULE 26) SUMMARY OF THE INVENTION
The invention allows keys to be chosen essentially at random from a large set of vectors, with key lengths comparable to the key lengths in other common public key cryptosystems, and features an appropriate (e.g. = 28° for current circumstances) security level, and provides encoding and decoding processes which are between one and two orders of magnitude faster than the most widely used public key cryptosystem, namely the exponentiation cryptosystem referenced above.
The encoding technique of an embodiment of the public key cryptosystem hereof uses a mixing system based on polynomial algebra and reduction modulo two numbers, p and q, while the decoding technique uses an unmixing system whose validity depends on elementary probability theory. The security of the public key cryptosystem hereof comes from the interaction of the polynomial mixing system with the independence of reduction modulo p and q. Security also relies on the experimentally observed fact that for most lattices, it is very difficult to find the shortest vector if there are a large number of vectors which are only moderately longer than the shortest vector.
An embodiment of the invention is in the form of a method for encoding and decoding a digital message m, comprising the following steps: selecting ideals p and q of a ring R;
generating elements f and g of the ring R, and generating SUBSTITUTE SHEET (RULE 26) WO 98/08323 PCT/fJS97/I5826 element Fq which is an inverse of f (mod q), and generating element Fp which is an inverse of f (mod p); producing a public key that includes h, where h is congruent, mod q, to a product that can be derived using g and Fq; producing a private key from which f and FP can be derived; producing an encoded message a by encoding the message m using the public key and a random element m; and producing a decoded message by decoding the encoded message a using the private key.
Further features and advantages of the invention will become more readily apparent from the following detailed description when taken in conjunction with the accompanying drawings.
SUBST1TL1TE SHEET (RULE 26) BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a block diagram of a system that can be used in practicing embodiments of the invention.
Figure 2 is a flow diagram of a public key encryption system which, when taken with the subsidiary flow diagrams referred to therein, can be used in implementing embodiments of the invention.
Figure 3 is a flow diagram of a routine, in accordance with an embodiment of the invention, for generating public and private keys.
Figure 4 is a flow diagram in accordance with an embodiment of the invention, for encoding a message using a public key.
Figure 5 is a flow diagram in accordance with an embodiment of the invention, for decoding an encoded message using a private key.
Figure 6 is a flow diagram of a routine, in accordance with another embodiment of the invention, for generating public and private keys.
Figure 7 is a flow diagram in accordance with another embodiment of the invention, for encoding a message using a public key.
Figure 8 is a flow diagram in accordance with another embodiment of the invention, for decoding an encoded message using a private key.
SUBSTITUTE SHEET (RULE 26) DETAILED DESCRIPTION
Figure 1 is a block diagram of a system that can be used in practicing embodiments of the invention. Two processor-based subsystems 105 and 155 are shown as being in communication over an insecure channel 50, which may be, for example, any.wired or wireless communication channel such as a telephone or Internet communication channel. The subsystem 105 includes processor 110 and the subsystem 155 includes processor 160. When programmed in the manner to be described, the processors 110 and 160 and their associated circuits can be used to implement an embodiment of the invention and to practice an embodiment of the method of the invention. The processors 110 and 160 may each be any suitable processor, for example an electronic digital processor or microprocessor. It will be understood that any general purpose or special purpose processor, or other machine or circuitry that can perform the functions described herein, electronically, optically, or by other means, can be utilized. The processors may be, for example, Intel Pentium processors. The subsystem 105 will typically include memories 123, clock and timing circuitry 121, input/output functions 118 and monitor 125, which may all be of conventional types. Inputs can include a keyboard input as represented at 103. Communication is via transceiver 135, which may comprise a modem or any suitable device for communicating signals.
The subsystem 155 in this illustrative embodiment can SUBSTITUTE SHEET (RULE 26) have a similar configuration to that of subsystem 105. The processor 160 has associated input/output circuitry 164, memories 168, clock and timing circuitry 173, and a monitor 176. Inputs include a keyboard 155. Communication of subsystem 155 with the outside world is via transceiver 162 which, again, may comprise a modem or any suitable device for communicating signals.
The encoding technique of an embodiment of the public key cryptosystem hereof uses a mixing system based on polynomial algebra and reduction modulo two numbers, p and q, while the decoding technique uses an unmixing system whose validity depends on elementary probability theory. [It will be understood that the polynomial is a convenient representation of ordered coefficients (a polynomial of degree N-1 having N
ordered coefficients, some of which may be zero), and that the processor will perform designated operations on coefficients.]
The security of the public key cryptosystem hereof comes from the interaction of the polynomial mixing system with the independence of reduction modulo p and q. Security also relies on the experimentally observed fact that for most lattices, it is very difficult to find the shortest vector if there are a large number of vectors which are only moderately longer than the shortest vector.
The cryptosystem hereof fits into the general framework of a probabilistic cryptosystem as described in M. Blum et al., "An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information", Advances in Cryptology:
SUBSTITUTE SHEET (RULE 26) Proceedings of CRYPTO 84, Lecture Notes in Computer Science, Vol. 196, Springer-Verlag, 1985, pp. 289-299; and S.
Goldwasser et al., "Probabilistic Encryption", J. Computer and Systems Science 28 (1984), 270-299. This means that encryption includes a random element, so each message has many possible encryptions. Encoding and decoding and key creation are relatively fast and easy using the technique hereof, in which it takes O(NZ) operations to encode or decode a message block of length N, making it considerably faster than the O(N3) operations required by RSA. Key lengths are O(N), which compares well with the O(Nz) key lengths required by other "fast" public keys systems such as those described in R.J.
McEliece, "A Public-Key Cryptosystem Based On Algebraic Coding Theory", JPL Pasadena, DSN Progress Reports 42-44 (1978), 114-116 and O. Goldreich et al. "Public-Key Cryptosystems From Lattice Reduction Problems", MIT - Laboratory for Computer Science preprint, November 1996.
An embodiment of the cryptosystem hereof depends on four integer parameters (N, K, p, q) and three sets ~q, ~0, ~m of polynomials of degree N-1 with integer coefficients. This embodiment works in the ring R = Z[X]/(XN-1). An element F E R
will be written as a polynomial or a vector, N
F = ~ FIxN-1 = [ Fl , FZ , . . . , FN] .
~=i The star "*" denotes multiplication in R. This star SUBSTITUTE SHEET (RULE 2fi) multiplication is given explicitly as a cyclic convolution product, F * G = H with k-1 N
Hk = ~ FiGk_i + ~ FiGN,k_i = ~ FiGj .
i=1 j=k i+j=k (mod N) When a multiplication modulo (say) q is performed, the coefficients are reduced modulo q. Further reference can be made to Appendix 1.
The following is an example of an embodiment in accordance with the invention of a public key cryptosystem.
Very small numbers are used for ease of illustration, so the example would not be cryptographically secure. In conjunction with the example there is described, as material in double brackets (Q~), operating parameters that would provide a practical cryptographically secure cryptosystem under current conditions. Further discussion of the operating parameters to achieve a particular level of security is set forth in Appendix 1, which also describes the degree of immunity of an embodiment of the cryptosystem hereof to various types of attack.
The objects used in an embodiment hereof are polynomials of degree N-1, alxN 1 + a2xN-2 + ... + aN_ix + aN~
where the coefficients a"..., a,~ are integers. In the "star"
multiplication hereof, x"' is replaced by 1, and x"+1 is replaced by x, and xN-z is replaced by x2, and so on. [A polynomial may SUBSTiTUTF SH E~T {RULE 26) also be represented by an N-tuple of numbers [ai, aZ, . . . , aN] .
In such case the star product is also known as the convolution product. For large values of N, it may be faster to compute convolution products using the method of Fast Fourier Transforms, which take on the order of NlogN steps instead of N2 steps.] For example, taking N=5, and two exemplary polynomials, the star multiplication gives (x4+2x2-3x+2) * (2xq+3x3+5x-1) =2x8+3x'+4x6+5x5- 6x4+16x3 -17x2+13x-2 =2x3+3x2+4x+5x-6x'+16x3-17x2+13x-2 -- 6x4+18x3 -14x2+17x+3 QA secure system may use, for example N = 167 or N = 263.D
[This embodiment uses the ring of polynomials with integer coefficients modulo the ideal consisting of all multiples of xN
-1. More generally, one could use polynomials modulo a different ideal; and even more generally, one could use some other ring R. For further information on rings and ideals, reference can be made, for example, to Topics in Algebra by I.N. Herstein.]
Another aspect of the present embodiment involves reducing the coefficients of a polynomial modulo an integer, such as the ideal q. This essentially means dividing each coefficient by q and replacing the coefficient with its remainder. For example, if q = 128 and if some coefficient is 2377, then that coefficient would be replaced with 73, because SUBSTITUTE SHEET (RULE 26) 2377 divided by 128 equals 18, with a remainder of 73.
However, it is easier to use "centered remainders." This means that if the remainder is between 0 and q/2, it is left alone, but if it is between q/2 and q, then q is subtracted from it. Accordingly, using centered reminders for q = 128, 2377 would be replaced by -55, since -55 = 73 - 128.
To indicate that this remainder process is being performed, a triple equal sign (--_) is used, along with the designation "mod q." The following is an example which combines star multiplication of two polynomials with reduction modulo 5. The answer uses centered remainders.
(x4+2x2-3x+2) * (2x'+3x3+5x-1) - -6x'+18x3-l4xZ+17x+3 - -x'-2x3+xz+2x-2 (mod 5) .
In creating a public key cryptosystem in accordance with an embodiment hereof (and with the previously indicated small numbers for ease of illustration), a first step is to choose integer parameters N, K, p, and q. Take, for example N = 5, K = 1, p = 3, q = 128.
QA secure system may use, for example, N=167, K=6, p=3, q=21s 65536. Preferably, p and q will be relatively prime; that is, they will have no common factors greater than 1. A
discussion of the desirability of having the ideals p and q be relatively prime is set forth in Appendix 1.
Some sets of polynomials are chosen, as follows:
SUBSTITUTE SHEET (RULE 26) {polynomials whose coefficients are -2's, -1's, 0's, 1's, and 2's}
{polynomials with two -1's, two 1's, and one 0 as coefficients}
{polynomials whose coefficients are -1's, 0's, and 1's}
QA secure system may use, for example {polynomials whose coefficients lie between -177 and 177}
{polynomials whose coefficients are forty 1's, forty -1's, the rest 0's}
{polynomials whose coefficients lie between -3 and 3}
(Note: The polynomials have degree N-1, so for the secure parameters of the example, the polynomials have degree 166.
Further, the actual message m being encoded consists of the remainders when the coefficients of m are divided by p, where in this example p = 3.)D
The set ~g is used to create the key for the cryptosystem, the set ~0 is used for encoding messages, and the set ~m is the set of possible messages. For example, 2x'-x3+x-2 is in the set fig, and x'-x3-x2+1 is in the set ~9 To implement the key creation of this example, the key creator, call him Dan, chooses two polynomials f and g from the set fig. In this simplified example K = 1, so there is one polynomial g. Suppose that Dan chooses f = x4-x3+2x2-2x+1, SUBST1TUTF SHEET (RULE 26) g = x4-x'+x2-2x+2.
QA secure system may use, for example, K + 1 polynomials f, 91, , ~ ~ ~ gx E ~g with K = 6 .
A requirement hereof is that f must have an inverse modulo q and an inverse modulo p. What this means is that there must be polynomials Fq and FP so that Fq * f - 1 (mod q) and Fp * f --__ 1 (mod p) .
The well known Euclidean algorithm can be used to compute Fq and FF. Reference can be made, for example, to Appendix II
hereof. (Some f's may not have inverses, in which case Dan would have to go back and choose another f.) For the above example f, we have F~ = 103x' + 29x3 + 116x2 + 79x + 58, Fp = 2x' + 2x .
To check that this is the right Fq for f, one can multiply FQ * f = (103x'+29x3+116x2+79x+58) * (x4-x3+2x2-2x+1) - 256x° + 256x - 127 _ 1 (mod 128) .
Similarly, to check that Fp is correct, one can multiply FP * f = (2x' + 2x) * (x4 - x'+ 2xz - 2x + 1}
- 6x3 - 6xz + 6x - 2 1 (mod 3).
Now, the key creator Dan is ready to create his public key, which is the polynomial h given by h =_ F~ * g (mod q) .
QA secure system may use, for example, K polynomials hl,.. " hK
given by SUBSTITUTE SHEET (RULE 26) WO 98/08323 PCTlUS97/15826 hi --__ Fq * gi (mod q) with i = 1, 2, . . . , K, with K = 6.~
Continuing with the example, Dan would compute Fq * g = (103x4+29x3+116x2+79x+58) * (x4-x3+xz-2x+2) - 243x' - 50x' + 58x2 + 232x - 98 _ -13x4 - 50x3 + 58x2 - 24x + 30 (mod 128).
Then Dan's public key is the polynomial h = - 13x4 - 50x3 + 58x2 -24x + 30.
Dan's private key is the pair of polynomials (f, FP). In principle, the polynomial f itself can function as the private key, because FP can always be computed from f; but in practice Dan would probably want to precompute and save FP.
In the next part of the example, encoding with the public key is described. Suppose the encoder, call her Cathy, wants to send Dan a message using his public key h. She chooses a message from the set of possible message Vim. For example, suppose that she wants to send the message m = x' - x3 + x2 + 1.
To encode this message, she chooses at random a polynomial m from the set Via. For example, say she selects ra = - x4 + x3 - x2 + 1.
She uses this randomly chosen polynomial m, Dan's public key h (as well as p and q, which are part of the public key), and her plaintext message m to create the encoded message a using the formula e --__ pra * h + m (mod q) .
QA secure system may use K public keys hl,...,hK, with K = 6 SUBSTITUTE SHEET (RULE 26) for the secure example. To encode a message, Cathy can randomly choose K polynomials osl, . . . , mK from the set ~m and then create the encoded message a by computing e --__ pral*hl+pra2*h2+. . . +pmK*hK+m (mod q) . ]~ An alternative would be to let h equal pFq*g (mod q), and then the message can be encoded using the formula a = m*h+m (mod q). For the present example, Cathy computes pm * h + m = 3 (-xq+x3-xz+1) * (-13x-50x3+58x2-24x+30) + (X4 - X3 + X2 + 1 ) - -374x4 + 50x3 + 196x2 - 357x + 487 _ 10x4 + 50x3 - 60x2 + 27x - 25 (mod 128) .
So Cathy's encoded message is the polynomial a = lOx~ + 50x' - 60x2 + 27x - 25, and she sends this encoded message to Dan.
In the next part of the example, decoding using the private key is described. In order to decode the message e, Dan first uses his private key f to compute the polynomial a = f * a (mod q) .
For the example being used, he computes f * a = (x4-x3+2x2-2x+1) * (10x4+50x3-60x2+27x-25) - -262x~ + 259x3 - 124x2 - 13x + 142 -6x4 + 3x3 + 4x2 - 13x + 14 (mod 128) , so the polynomial a is a = -6x4 + 3x' + 4x2 - 13x + 14.
Next, Dan uses FP, the other half of his private key, to compute Fp * a (mod p) , SUBSTITUTE SHEET (RULE 26) and the result will be the decoded message. Thus for the present example, Dan computes FP * a = (2x' + 2x) * (-6x4 + 3x3 + 4x2 - 13x + 14) - 34x' - 4x3 - 20x2 + 36x - 38 x4 - x3 + x2 + 1 ( mod 3 ) .
Reference can be made to Appendix I for further description of why the decoding works.
In a further embodiment of the invention the ring is a ring of matrices. For example, one can use the ring R = (the ring of M x M matrices with integer coef f icients) .
An element of R looks like all alt ... alM
azl a2a azM
arri aMZ ... ar~r where the coefficients a;~ are integers. Addition and multiplication are as usual for matrices, and it will be understood that the processor can treat the matrix members as numbers stored and operated on in any convenient manner. Let N = M2, so a matrix in R has N coefficients. Relatively prime integers p and q are chosen.
In this case, to create a private key, Dan chooses K + 2 matrices from R. These matrices can be called f,g,wl,wz, ...,wK.
These matrices should have the property that f,g,wl,...,wK have SUBSTTTLJTE SHEET {RULE 26) fairly small coefficients, and every w: satisfies wi = 0 (mod p) .
(In other words, every coefficient of every wi is a multiple of p.) To create his key, Dan needs to find inverses for f and g modulo p and q . Thus he f finds matrices FP, Fq, Gp, Gq in R
satisfying fFp - I (mod p) fFq - I (mod q) gGP - I ( mod p ) gGq - I (mod q) where I is the M x M identity matrix. In general, this is quite easy to do; and if by some chance one of the inverses fail to exist, Dan just chooses a new f or g.
Dan' s public key is a list of K matrices (hi, h2, . . . , hK) determined by the condition h; - FqwiGq (mod q) for i = 1, 2, . . . , K.
(Note that the wi's are congruent to zero modulo p.) His private key is the four matrices (f,g,Fp,Gp). In principle, f and g alone can be used as the private key, but in practice it is more efficient to precompute and store Fp, Gp.
The encoding for this matrix example is described next.
Suppose that Cathy wants to encode a message m. The message m is a matrix with coefficients modulo p. In order to encode her message, she chooses at random some integers ml,...,rax satisfying some condition; for example, they might be chosen to be non-negative integers whose sum ml+...+mK equals a predetermined value d. (Note that the ra;'s are ordinary SUBSTITUTE SHEET (RULE 26) WO 98/08323 PCTlUS97/15826 integers, they are not matrices. Equivalently, they can be thought of as multiples of the identity matrix, so they will commute with every element of the ring R.) Having chosen her sai's, Cathy creates her encoded message a by the rule a - mlhl + mzh2 + . . . + asKhK + m (mod q) .
The decoding for this matrix example is described next.
We now assume that Dan has received the encoded message a and wishes to decipher it. He begins by computing the matrix a satisfying a - feg (mod q).
As usual, Dan chooses the coefficients of a in some restricted range, such as from -q/2 to q/2 (i.e., zero-centered coefficients), or from 0 to q-1.
If the parameters have been chosen appropriately, then the matrix a will be exactly equal to the sum a = mewl + o2w2 + . . . ~a,~wK + fmg .
(This will always be true modulo q, but a key point is that if q is large enough, then it will be an exact equality, not merely modulo q.) Dan's next step is to reduce a modulo p, say b =_ a (mod p) .
Since all of the coefficients of the wi's are divisible by p, this means that b - fmg (mod p) .
Finally Dan computes FpbGp ( mod p ) to recover the original message m.
SUBSTITUTE SHEET (RULE 26) The described M x M matrix embodiment has excellent operating time. Encoding requires only additions and takes on the order of Mz operations. Decoding requires two matrix multiplications of M x M matrices, so takes on the order of M3 operations. The message length is on the order of Mz, so if N
denotes the natural message length (i.e., N = M2), then the matrix embodiment requires O(N) steps to encode and O(N3~2) steps to decode. For comparison, the polynomial embodiment requires O(NZ) steps to encode and O(NZ) steps to decode, and the RSA public key system requires O(N3) steps to encode and O(N3) steps to decode.
A preliminary analysis suggests that the only natural lattice attacks on the matrix embodiment require using lattices whose dimension is NZ+N (or larger). This would be a significant security improvement over the 2N dimensional lattices used to attack the polynomial embodiment.
In order to avoid brute-force (or potential meet-in-the-middle) attacks, it is necessary that the sample space for the m;'s be fairly large, say between 21°° and 2200. However, this is not difficult to achieve. For example, if the mi's are chosen non-negative with surn d, then the sample space has (d+K-11 - ( d+K-1 ) !
K-1 d!(K-1)!
elements. So if one takes K = 15 and d = 1024, for example, one gets a sample space with 21o3.s elements.
The public key size is KMzlog2(q) bits, and the private SUBSTITUTE SHEET (RULE 26) key size is 2MZlog2(pq) bits. Both of these are of a practical size.
Figure 2 illustrates a basic procedure that can be utilized with a public key encryption system, and refers to routines illustrated by other referenced flow diagrams which describe features in accordance with an embodiment of the invention. The block 210 represents the generating of the public key and private key information, and the "publishing"
of the public key. The routine of an embodiment hereof is described in conjunction with the flow diagram of Figure 3.
In the present example, it can be assumed that this operation is performed at the processor system 105. The public key information can be published; that is, made available to any member of the public or to any desired group from whom the private key holder desires to receive encrypted messages.
Typically, although not necessarily, the public key may be made available at a central public key library facility or website where a directory of public key holders and their public keys are maintained. In the present example, it is assumed that the user of the processor system 155 wants to send a confidential message to the user of processor system 105, and that the user of processor system 155 knows the published public key of the user of processor system 150.
The block 220 represents the routine that can be used by the message sender (that is, in this example, the user of processor system 155) to encode the plaintext message using the public key of the intended message recipient. This SUBSTITUTE SHEET (RULE 26) routine, in accordance with an embodiment of the invention, is described in conjunction with the flow diagram of Figure 4.
The encrypted message is then transmitted over the channel 50 (Figure 1).
The block 260 of Figure 2 represents the routine for the decoding of the encrypted message to recover the plaintext message. In the present example, this function is performed by the user of the processor system 105, who employs the private key information. The decoding routine, for an embodiment of the invention, is described in conjunction with the flow diagram of Figure 5.
Referring now to Figure 3, there is shown a flow diagram of the routine, as represented generally by the block 210 of Figure 2, for generating the public and private keys. The routine can be utilized, in the present example, for programming the processor 110 of the processor system 105.
The block 305 represents the choosing of integer parameters N, p, and q. As first described above, N determines the degree of the' polynomials f and g; to be generated, and p and q are, respectively, the two ideals used in producing the star products. The block 315 represents the selection of K, which is the number of polynomials gi to be used. In the simplified example above, K was 1, and it was noted that a particular exemplary relatively secure system could use K = 6. Next, the block 325 represents the choosing of random polynomials f, gl, g2...gK. The coefficients may, for example, be chosen using a random number generator, which can be implemented, in known SUBSTITUTE SHEET (RULE 26) fashion, using available hardware or software. In the present embodiment, each of the processor systems is provided with a random number generator, designated by the blocks 130 and 185 respectively, in Figure 1.
The block 340 represents application of the Euclidean algorithm to determine the inverses, Fq and Fp, in the manner described above, for the previously selected polynomial f, if such inverses exist. If Fp, Fq do not exist, the block 325 is re-entered, and a new polynomial f is chosen. The loop 330 is continued until polynomials are chosen for which the defined inverses can be computed. [The probability of the inverses existing for a given polynomial is relatively high, so a relatively small number of traversals through the loop 330 will generally be expected before the condition is met.] The block 350 is then entered, this block representing the computation of the public key, h in accordance with h = Fq*g (mod q) as first described above. [For K>1, there will be public key components hi for i - 1,2,...,K.] As represented by the block 360, the private key is retained as the polynomials f, FP, and the public key can then be published, as represented by the block 370.
Figure 4 is a flow diagram, represented generally by the block 240 of Figure 2, of a routine for programming a processor, such as the processor 160 of the processor system 155 (Figure 1) to implement encoding of a plaintext message m.
The message to be encoded is input (block 420) and a random SUBSTITUTE SHEET (RULE 26y polynomial m is chosen (block 430). [If K>1, then K random polynomials ral, m2, . . . , mK are chosen. ] The polynomial can be from the set ~0, as described above, and the random coefficients can be selected by any hardware or software means, for example the random number generator 185. The encoded message, e, can then be computed (block 450) as a = pm*h + m (mod q).
As first noted above, for K greater than 1, the encoded message would be a - pr~l*hl + p02*hz + . . . . + pmk*hk + m (mod q) .
The encoded message can be transmitted (block 460) over channel 50 to the keyholder who, in the present example, is the user of the processor system 105.
Figure 5 is a flow diagram represented generally in Figure 2 by the block 260, of a routine in accordance with an embodiment of the invention for decoding the encrypted message. The block 530 represents the receiving of the encrypted message, e. The retained private key information, which includes the previously defined polynomials f and Fp, and the integers N, p, and q, are fetched (block 550). Next, the block 570 represents the computation of a --__ f*e (mod q) .
The decoded message, designated here as m', can then be computed (block 580) as m' _ Fp * a ( mod p ) .
Figures 6, 7 and 8 are flow diagrams relating to the above-described matrix embodiment. Figure 6 is a flow diagram SUBSTTTUTE SHEET (RULE 26) of the routine, as represented generally by the block 210 of Figure 2, for generating the public and private keys. As above, the routine can be utilized, in the present example, for programming the processor 110 of the processor system 105.
The block 605 represents the choosing of integer parameters N, p, and q, where N is the number of matrix coefficients, and p and q are relatively prime integers. The block 615 represents the selection of K, which determines the number of matrices.
Next, the block 625 represents the choosing of random matrices f , g, wl, w2, . . . , wk, with the requirement that wl, wz, . . . , wK are all congruent to 0 modulo p. Again, the random number generator 130 (Figure 1) can be used for this purpose.
The block 640 represents determination of the previously defined matrices Fp, Fq, Gp and Gq. If these matrices do not exist, the block 625 is re-entered, and new matrices f and g are chosen. The loop 630 is continued until matrices are chosen for which the defined inverses can be computed. The block 650 is then entered, this block representing the computation of the public key, a list of K matrices (hl, h2, . . . , hK) determined by the condition hi - FqwiG~ (mod q) for i = 1, 2 , . . . , K.
As represented by the block 660, the private key is retained as the matrices (f, g, Fp, GP) and the public key can then be published, as represented by the block 670.
Figure 7 is a flow diagram, represented generally by the block 240 of Figure 2, of a routine for programming a processor, such as the processor 160 of the processor system SUBSTITUTE SHEET (RULE 26) 155 (Figure 1) to implement encoding of a plaintext message m using the technique of the present matrix embodiment. The message to be encoded is input (block 720) and the random integers asl, 02, . . . , mk are chosen (block 730) . The integers can be selected by the random number generator 185 (Figure 1).
The encoded message, e, can then be computed (block 750) as a - ralhl + m2h2 + . . . + mxhK + m (mod q) .
The encoded message can be transmitted (block 760) over channel 50, to the keyholder which, in the present example, is the user of the processor system 105.
Figure 8 is a flow diagram represented generally in Figure 2 by the block 260, of a routine for decoding the encrypted message in accordance with the present matrix embodiment. The block 830 represents the receiving of the encrypted message, e. The retained private key information, which includes the previously defined F, g, Fp and Gp, and the integers N, p, and q, are fetched (block 850). Then, the block 870 represents the computation of a - feg (mod q) .
Next, a is reduced modulo p to b (block 880) as b --__ a (mod p).
The decoded message is then computed (block 890) as m' _ FpbGp ( mod p ) .
The invention has been described with reference to particular preferred embodiments, but variations within the spirit and scope of the invention will occur to those skilled SUBSTITUTE SHEET (RULE 26) in the art. For example, it will be understood that the public or private keys can be stored on any suitable media, for example a "smart card", which can be provided with a microprocessor capable of performing encoding and/or decoding, so that encrypted messages can be communicated to and/or from the smart card.
SU85TTTUTE SHEET (RULE 26) NTRU: A RING-BASED PUBLIC KEY CRYPTOSYSTEM
JEFFREY HOFFSTEIN, ,TILL PIP HER, JOSEPH H. SILVERMAN
ABSTRACT. We describe NTRU, a new public key cryptosystem. NTRU
features reasonably short. easily created keys, high speed, and low memory requirements. NTRU encoding and decoding uses a mixing system suggested by polynomial algebra combined with a clustering principle based on elemen-tary probability theory. The security of the NTRU cryptosystem comes from the interaction of the polynomial mixing system with the independence of reduction modulo two relatively prime integers p and q.
CONTENTS
0. Introduction 1. Description of the NTRU Algorithm 2. Parameter Selection 3. Security Analysis 4. Implementation Considerations 5. Moderate Security Parameters For NTRU
FIELD OF THE INVENTION
This invention relates to encoding and decoding of information and, more particularly, to a public key cryptosystem for encryption and decryption of digital messages by processor systems.
BACKGROUND OF THE INVENTION
Secure exchange of data between two parties, for example, between two computers, requires encryption. There are two general methods of encryption in use today, private key encryption and public key encryption. In private key encryption, the two parties privately exchange the keys to be used for encoding and decoding. A widely used example of a private key cryptosystem is DES, the Data Encryption Standard.
Such systems can be very fast and very secure, but they suffer the disadvantage that the two parties must exchange their keys privately.
A public key cryptosystem is one in which each party can publish their encoding process without compromising the security of the decoding process. The encoding process is popularly called a trap-door function. Public key cryptosystems, although generally slower than private key cryptosystems, are used for transmitting small amounts of data, such as credit card numbers, and also to transmit a private key which is then used for private key encoding.
Heretofore a variety of trap-door functions have been proposed and implemented for public key cryptosystems.
One type of trap-door function which has been used to create public key cryptosystems involves exponentiation in a group; that is, taking an element of a group and repeatedly multiplying the element by itself using the group operation.
The group most often chosen is the multiplicative group modulo pq for large prime numbers p and q, although other groups such as elliptic curves, abelian varieties, and even non-commutative matrix groups, have been described. However, this type of trap-door function requires large prime numbers, on the order of 100 digits each, making key creation cumbersome;
SUBSTITUTE SHEET (RULE 26) and the exponentiation process used for encoding and decoding is computationally intensive, requiring many multiplications of hundred digit numbers and on the order of N3 operations to encode or decode a message consisting of N bits.
A second type of trap-door function which has been used to create public key cryptosystems is based on the difficulty of determining which numbers are squares in a group, usually the multiplicative group modulo pq for large primes p and q.
Just as in the first type, key creation is cumbersome and encoding and decoding are computationally intensive, requiring on the order of N3 operations to encode or decode a message consisting of N bits.
A third type of trap-door function involves the discrete logarithm problem in a group, generally the multiplicative group or an elliptic curve modulo a large prime p. Again, key creation is cumbersome, since the prime p needs at least 150 digits and p - 1 must have a large prime factor; and such systems use exponentiation, so again require on the order of N3 operations to encode or decode a message consisting of N bits.
A fourth type of trap-door function which has been used to create public key cryptosystems is based on the knapsack, or subset sum, problem. These functions use a semigroup, normally the semigroup of positive integers under addition.
Many public key cryptosystems of this type have been broken using lattice reduction techniques, so they are no longer considered secure systems.
A fifth type of trap-door function which has been used to SUBSTITUTE SHEET (RULE 26) create public key cryptosystems is based on error correcting codes, especially Goppa codes. These cryptosystems use linear algebra over a finite field, generally the field with two elements. There are linear algebra attacks on these cryptosystems, so the key for a secure cryptosystem is a large rectangular matrix, on the order of 400,000 bits. This is too large for most applications.
A sixth type of trap-door function which has been used to create public key cryptosystems is based on the difficulty of finding extremely short basis vectors in a lattice of large dimension N. The keys for such a system have length on the order of Nz bits, which is too large for many applications. In addition, these lattice reduction public key cryptosystems are very new, so their security has not yet been fully analyzed.
Most users, therefore, would find it desirable to have a public key cryptosystem which combines relatively short, easily created keys with relatively high speed encoding and decoding processes.
It is among the objects of the invention to provide a public key encryption system for which keys are relatively short and easily created and for which the encoding and decoding processes can be performed rapidly. It is also among the objects hereof to provide a public key encryption system which has relatively low memory requirements and which depends on a variety of parameters that permit substantial flexibility in balancing security level, key length, encoding and decoding speed, memory requirements, and bandwidth.
SUBSTITUTE SHEET (RULE 26) SUMMARY OF THE INVENTION
The invention allows keys to be chosen essentially at random from a large set of vectors, with key lengths comparable to the key lengths in other common public key cryptosystems, and features an appropriate (e.g. = 28° for current circumstances) security level, and provides encoding and decoding processes which are between one and two orders of magnitude faster than the most widely used public key cryptosystem, namely the exponentiation cryptosystem referenced above.
The encoding technique of an embodiment of the public key cryptosystem hereof uses a mixing system based on polynomial algebra and reduction modulo two numbers, p and q, while the decoding technique uses an unmixing system whose validity depends on elementary probability theory. The security of the public key cryptosystem hereof comes from the interaction of the polynomial mixing system with the independence of reduction modulo p and q. Security also relies on the experimentally observed fact that for most lattices, it is very difficult to find the shortest vector if there are a large number of vectors which are only moderately longer than the shortest vector.
An embodiment of the invention is in the form of a method for encoding and decoding a digital message m, comprising the following steps: selecting ideals p and q of a ring R;
generating elements f and g of the ring R, and generating SUBSTITUTE SHEET (RULE 26) WO 98/08323 PCT/fJS97/I5826 element Fq which is an inverse of f (mod q), and generating element Fp which is an inverse of f (mod p); producing a public key that includes h, where h is congruent, mod q, to a product that can be derived using g and Fq; producing a private key from which f and FP can be derived; producing an encoded message a by encoding the message m using the public key and a random element m; and producing a decoded message by decoding the encoded message a using the private key.
Further features and advantages of the invention will become more readily apparent from the following detailed description when taken in conjunction with the accompanying drawings.
SUBST1TL1TE SHEET (RULE 26) BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1 is a block diagram of a system that can be used in practicing embodiments of the invention.
Figure 2 is a flow diagram of a public key encryption system which, when taken with the subsidiary flow diagrams referred to therein, can be used in implementing embodiments of the invention.
Figure 3 is a flow diagram of a routine, in accordance with an embodiment of the invention, for generating public and private keys.
Figure 4 is a flow diagram in accordance with an embodiment of the invention, for encoding a message using a public key.
Figure 5 is a flow diagram in accordance with an embodiment of the invention, for decoding an encoded message using a private key.
Figure 6 is a flow diagram of a routine, in accordance with another embodiment of the invention, for generating public and private keys.
Figure 7 is a flow diagram in accordance with another embodiment of the invention, for encoding a message using a public key.
Figure 8 is a flow diagram in accordance with another embodiment of the invention, for decoding an encoded message using a private key.
SUBSTITUTE SHEET (RULE 26) DETAILED DESCRIPTION
Figure 1 is a block diagram of a system that can be used in practicing embodiments of the invention. Two processor-based subsystems 105 and 155 are shown as being in communication over an insecure channel 50, which may be, for example, any.wired or wireless communication channel such as a telephone or Internet communication channel. The subsystem 105 includes processor 110 and the subsystem 155 includes processor 160. When programmed in the manner to be described, the processors 110 and 160 and their associated circuits can be used to implement an embodiment of the invention and to practice an embodiment of the method of the invention. The processors 110 and 160 may each be any suitable processor, for example an electronic digital processor or microprocessor. It will be understood that any general purpose or special purpose processor, or other machine or circuitry that can perform the functions described herein, electronically, optically, or by other means, can be utilized. The processors may be, for example, Intel Pentium processors. The subsystem 105 will typically include memories 123, clock and timing circuitry 121, input/output functions 118 and monitor 125, which may all be of conventional types. Inputs can include a keyboard input as represented at 103. Communication is via transceiver 135, which may comprise a modem or any suitable device for communicating signals.
The subsystem 155 in this illustrative embodiment can SUBSTITUTE SHEET (RULE 26) have a similar configuration to that of subsystem 105. The processor 160 has associated input/output circuitry 164, memories 168, clock and timing circuitry 173, and a monitor 176. Inputs include a keyboard 155. Communication of subsystem 155 with the outside world is via transceiver 162 which, again, may comprise a modem or any suitable device for communicating signals.
The encoding technique of an embodiment of the public key cryptosystem hereof uses a mixing system based on polynomial algebra and reduction modulo two numbers, p and q, while the decoding technique uses an unmixing system whose validity depends on elementary probability theory. [It will be understood that the polynomial is a convenient representation of ordered coefficients (a polynomial of degree N-1 having N
ordered coefficients, some of which may be zero), and that the processor will perform designated operations on coefficients.]
The security of the public key cryptosystem hereof comes from the interaction of the polynomial mixing system with the independence of reduction modulo p and q. Security also relies on the experimentally observed fact that for most lattices, it is very difficult to find the shortest vector if there are a large number of vectors which are only moderately longer than the shortest vector.
The cryptosystem hereof fits into the general framework of a probabilistic cryptosystem as described in M. Blum et al., "An Efficient Probabilistic Public-Key Encryption Scheme Which Hides All Partial Information", Advances in Cryptology:
SUBSTITUTE SHEET (RULE 26) Proceedings of CRYPTO 84, Lecture Notes in Computer Science, Vol. 196, Springer-Verlag, 1985, pp. 289-299; and S.
Goldwasser et al., "Probabilistic Encryption", J. Computer and Systems Science 28 (1984), 270-299. This means that encryption includes a random element, so each message has many possible encryptions. Encoding and decoding and key creation are relatively fast and easy using the technique hereof, in which it takes O(NZ) operations to encode or decode a message block of length N, making it considerably faster than the O(N3) operations required by RSA. Key lengths are O(N), which compares well with the O(Nz) key lengths required by other "fast" public keys systems such as those described in R.J.
McEliece, "A Public-Key Cryptosystem Based On Algebraic Coding Theory", JPL Pasadena, DSN Progress Reports 42-44 (1978), 114-116 and O. Goldreich et al. "Public-Key Cryptosystems From Lattice Reduction Problems", MIT - Laboratory for Computer Science preprint, November 1996.
An embodiment of the cryptosystem hereof depends on four integer parameters (N, K, p, q) and three sets ~q, ~0, ~m of polynomials of degree N-1 with integer coefficients. This embodiment works in the ring R = Z[X]/(XN-1). An element F E R
will be written as a polynomial or a vector, N
F = ~ FIxN-1 = [ Fl , FZ , . . . , FN] .
~=i The star "*" denotes multiplication in R. This star SUBSTITUTE SHEET (RULE 2fi) multiplication is given explicitly as a cyclic convolution product, F * G = H with k-1 N
Hk = ~ FiGk_i + ~ FiGN,k_i = ~ FiGj .
i=1 j=k i+j=k (mod N) When a multiplication modulo (say) q is performed, the coefficients are reduced modulo q. Further reference can be made to Appendix 1.
The following is an example of an embodiment in accordance with the invention of a public key cryptosystem.
Very small numbers are used for ease of illustration, so the example would not be cryptographically secure. In conjunction with the example there is described, as material in double brackets (Q~), operating parameters that would provide a practical cryptographically secure cryptosystem under current conditions. Further discussion of the operating parameters to achieve a particular level of security is set forth in Appendix 1, which also describes the degree of immunity of an embodiment of the cryptosystem hereof to various types of attack.
The objects used in an embodiment hereof are polynomials of degree N-1, alxN 1 + a2xN-2 + ... + aN_ix + aN~
where the coefficients a"..., a,~ are integers. In the "star"
multiplication hereof, x"' is replaced by 1, and x"+1 is replaced by x, and xN-z is replaced by x2, and so on. [A polynomial may SUBSTiTUTF SH E~T {RULE 26) also be represented by an N-tuple of numbers [ai, aZ, . . . , aN] .
In such case the star product is also known as the convolution product. For large values of N, it may be faster to compute convolution products using the method of Fast Fourier Transforms, which take on the order of NlogN steps instead of N2 steps.] For example, taking N=5, and two exemplary polynomials, the star multiplication gives (x4+2x2-3x+2) * (2xq+3x3+5x-1) =2x8+3x'+4x6+5x5- 6x4+16x3 -17x2+13x-2 =2x3+3x2+4x+5x-6x'+16x3-17x2+13x-2 -- 6x4+18x3 -14x2+17x+3 QA secure system may use, for example N = 167 or N = 263.D
[This embodiment uses the ring of polynomials with integer coefficients modulo the ideal consisting of all multiples of xN
-1. More generally, one could use polynomials modulo a different ideal; and even more generally, one could use some other ring R. For further information on rings and ideals, reference can be made, for example, to Topics in Algebra by I.N. Herstein.]
Another aspect of the present embodiment involves reducing the coefficients of a polynomial modulo an integer, such as the ideal q. This essentially means dividing each coefficient by q and replacing the coefficient with its remainder. For example, if q = 128 and if some coefficient is 2377, then that coefficient would be replaced with 73, because SUBSTITUTE SHEET (RULE 26) 2377 divided by 128 equals 18, with a remainder of 73.
However, it is easier to use "centered remainders." This means that if the remainder is between 0 and q/2, it is left alone, but if it is between q/2 and q, then q is subtracted from it. Accordingly, using centered reminders for q = 128, 2377 would be replaced by -55, since -55 = 73 - 128.
To indicate that this remainder process is being performed, a triple equal sign (--_) is used, along with the designation "mod q." The following is an example which combines star multiplication of two polynomials with reduction modulo 5. The answer uses centered remainders.
(x4+2x2-3x+2) * (2x'+3x3+5x-1) - -6x'+18x3-l4xZ+17x+3 - -x'-2x3+xz+2x-2 (mod 5) .
In creating a public key cryptosystem in accordance with an embodiment hereof (and with the previously indicated small numbers for ease of illustration), a first step is to choose integer parameters N, K, p, and q. Take, for example N = 5, K = 1, p = 3, q = 128.
QA secure system may use, for example, N=167, K=6, p=3, q=21s 65536. Preferably, p and q will be relatively prime; that is, they will have no common factors greater than 1. A
discussion of the desirability of having the ideals p and q be relatively prime is set forth in Appendix 1.
Some sets of polynomials are chosen, as follows:
SUBSTITUTE SHEET (RULE 26) {polynomials whose coefficients are -2's, -1's, 0's, 1's, and 2's}
{polynomials with two -1's, two 1's, and one 0 as coefficients}
{polynomials whose coefficients are -1's, 0's, and 1's}
QA secure system may use, for example {polynomials whose coefficients lie between -177 and 177}
{polynomials whose coefficients are forty 1's, forty -1's, the rest 0's}
{polynomials whose coefficients lie between -3 and 3}
(Note: The polynomials have degree N-1, so for the secure parameters of the example, the polynomials have degree 166.
Further, the actual message m being encoded consists of the remainders when the coefficients of m are divided by p, where in this example p = 3.)D
The set ~g is used to create the key for the cryptosystem, the set ~0 is used for encoding messages, and the set ~m is the set of possible messages. For example, 2x'-x3+x-2 is in the set fig, and x'-x3-x2+1 is in the set ~9 To implement the key creation of this example, the key creator, call him Dan, chooses two polynomials f and g from the set fig. In this simplified example K = 1, so there is one polynomial g. Suppose that Dan chooses f = x4-x3+2x2-2x+1, SUBST1TUTF SHEET (RULE 26) g = x4-x'+x2-2x+2.
QA secure system may use, for example, K + 1 polynomials f, 91, , ~ ~ ~ gx E ~g with K = 6 .
A requirement hereof is that f must have an inverse modulo q and an inverse modulo p. What this means is that there must be polynomials Fq and FP so that Fq * f - 1 (mod q) and Fp * f --__ 1 (mod p) .
The well known Euclidean algorithm can be used to compute Fq and FF. Reference can be made, for example, to Appendix II
hereof. (Some f's may not have inverses, in which case Dan would have to go back and choose another f.) For the above example f, we have F~ = 103x' + 29x3 + 116x2 + 79x + 58, Fp = 2x' + 2x .
To check that this is the right Fq for f, one can multiply FQ * f = (103x'+29x3+116x2+79x+58) * (x4-x3+2x2-2x+1) - 256x° + 256x - 127 _ 1 (mod 128) .
Similarly, to check that Fp is correct, one can multiply FP * f = (2x' + 2x) * (x4 - x'+ 2xz - 2x + 1}
- 6x3 - 6xz + 6x - 2 1 (mod 3).
Now, the key creator Dan is ready to create his public key, which is the polynomial h given by h =_ F~ * g (mod q) .
QA secure system may use, for example, K polynomials hl,.. " hK
given by SUBSTITUTE SHEET (RULE 26) WO 98/08323 PCTlUS97/15826 hi --__ Fq * gi (mod q) with i = 1, 2, . . . , K, with K = 6.~
Continuing with the example, Dan would compute Fq * g = (103x4+29x3+116x2+79x+58) * (x4-x3+xz-2x+2) - 243x' - 50x' + 58x2 + 232x - 98 _ -13x4 - 50x3 + 58x2 - 24x + 30 (mod 128).
Then Dan's public key is the polynomial h = - 13x4 - 50x3 + 58x2 -24x + 30.
Dan's private key is the pair of polynomials (f, FP). In principle, the polynomial f itself can function as the private key, because FP can always be computed from f; but in practice Dan would probably want to precompute and save FP.
In the next part of the example, encoding with the public key is described. Suppose the encoder, call her Cathy, wants to send Dan a message using his public key h. She chooses a message from the set of possible message Vim. For example, suppose that she wants to send the message m = x' - x3 + x2 + 1.
To encode this message, she chooses at random a polynomial m from the set Via. For example, say she selects ra = - x4 + x3 - x2 + 1.
She uses this randomly chosen polynomial m, Dan's public key h (as well as p and q, which are part of the public key), and her plaintext message m to create the encoded message a using the formula e --__ pra * h + m (mod q) .
QA secure system may use K public keys hl,...,hK, with K = 6 SUBSTITUTE SHEET (RULE 26) for the secure example. To encode a message, Cathy can randomly choose K polynomials osl, . . . , mK from the set ~m and then create the encoded message a by computing e --__ pral*hl+pra2*h2+. . . +pmK*hK+m (mod q) . ]~ An alternative would be to let h equal pFq*g (mod q), and then the message can be encoded using the formula a = m*h+m (mod q). For the present example, Cathy computes pm * h + m = 3 (-xq+x3-xz+1) * (-13x-50x3+58x2-24x+30) + (X4 - X3 + X2 + 1 ) - -374x4 + 50x3 + 196x2 - 357x + 487 _ 10x4 + 50x3 - 60x2 + 27x - 25 (mod 128) .
So Cathy's encoded message is the polynomial a = lOx~ + 50x' - 60x2 + 27x - 25, and she sends this encoded message to Dan.
In the next part of the example, decoding using the private key is described. In order to decode the message e, Dan first uses his private key f to compute the polynomial a = f * a (mod q) .
For the example being used, he computes f * a = (x4-x3+2x2-2x+1) * (10x4+50x3-60x2+27x-25) - -262x~ + 259x3 - 124x2 - 13x + 142 -6x4 + 3x3 + 4x2 - 13x + 14 (mod 128) , so the polynomial a is a = -6x4 + 3x' + 4x2 - 13x + 14.
Next, Dan uses FP, the other half of his private key, to compute Fp * a (mod p) , SUBSTITUTE SHEET (RULE 26) and the result will be the decoded message. Thus for the present example, Dan computes FP * a = (2x' + 2x) * (-6x4 + 3x3 + 4x2 - 13x + 14) - 34x' - 4x3 - 20x2 + 36x - 38 x4 - x3 + x2 + 1 ( mod 3 ) .
Reference can be made to Appendix I for further description of why the decoding works.
In a further embodiment of the invention the ring is a ring of matrices. For example, one can use the ring R = (the ring of M x M matrices with integer coef f icients) .
An element of R looks like all alt ... alM
azl a2a azM
arri aMZ ... ar~r where the coefficients a;~ are integers. Addition and multiplication are as usual for matrices, and it will be understood that the processor can treat the matrix members as numbers stored and operated on in any convenient manner. Let N = M2, so a matrix in R has N coefficients. Relatively prime integers p and q are chosen.
In this case, to create a private key, Dan chooses K + 2 matrices from R. These matrices can be called f,g,wl,wz, ...,wK.
These matrices should have the property that f,g,wl,...,wK have SUBSTTTLJTE SHEET {RULE 26) fairly small coefficients, and every w: satisfies wi = 0 (mod p) .
(In other words, every coefficient of every wi is a multiple of p.) To create his key, Dan needs to find inverses for f and g modulo p and q . Thus he f finds matrices FP, Fq, Gp, Gq in R
satisfying fFp - I (mod p) fFq - I (mod q) gGP - I ( mod p ) gGq - I (mod q) where I is the M x M identity matrix. In general, this is quite easy to do; and if by some chance one of the inverses fail to exist, Dan just chooses a new f or g.
Dan' s public key is a list of K matrices (hi, h2, . . . , hK) determined by the condition h; - FqwiGq (mod q) for i = 1, 2, . . . , K.
(Note that the wi's are congruent to zero modulo p.) His private key is the four matrices (f,g,Fp,Gp). In principle, f and g alone can be used as the private key, but in practice it is more efficient to precompute and store Fp, Gp.
The encoding for this matrix example is described next.
Suppose that Cathy wants to encode a message m. The message m is a matrix with coefficients modulo p. In order to encode her message, she chooses at random some integers ml,...,rax satisfying some condition; for example, they might be chosen to be non-negative integers whose sum ml+...+mK equals a predetermined value d. (Note that the ra;'s are ordinary SUBSTITUTE SHEET (RULE 26) WO 98/08323 PCTlUS97/15826 integers, they are not matrices. Equivalently, they can be thought of as multiples of the identity matrix, so they will commute with every element of the ring R.) Having chosen her sai's, Cathy creates her encoded message a by the rule a - mlhl + mzh2 + . . . + asKhK + m (mod q) .
The decoding for this matrix example is described next.
We now assume that Dan has received the encoded message a and wishes to decipher it. He begins by computing the matrix a satisfying a - feg (mod q).
As usual, Dan chooses the coefficients of a in some restricted range, such as from -q/2 to q/2 (i.e., zero-centered coefficients), or from 0 to q-1.
If the parameters have been chosen appropriately, then the matrix a will be exactly equal to the sum a = mewl + o2w2 + . . . ~a,~wK + fmg .
(This will always be true modulo q, but a key point is that if q is large enough, then it will be an exact equality, not merely modulo q.) Dan's next step is to reduce a modulo p, say b =_ a (mod p) .
Since all of the coefficients of the wi's are divisible by p, this means that b - fmg (mod p) .
Finally Dan computes FpbGp ( mod p ) to recover the original message m.
SUBSTITUTE SHEET (RULE 26) The described M x M matrix embodiment has excellent operating time. Encoding requires only additions and takes on the order of Mz operations. Decoding requires two matrix multiplications of M x M matrices, so takes on the order of M3 operations. The message length is on the order of Mz, so if N
denotes the natural message length (i.e., N = M2), then the matrix embodiment requires O(N) steps to encode and O(N3~2) steps to decode. For comparison, the polynomial embodiment requires O(NZ) steps to encode and O(NZ) steps to decode, and the RSA public key system requires O(N3) steps to encode and O(N3) steps to decode.
A preliminary analysis suggests that the only natural lattice attacks on the matrix embodiment require using lattices whose dimension is NZ+N (or larger). This would be a significant security improvement over the 2N dimensional lattices used to attack the polynomial embodiment.
In order to avoid brute-force (or potential meet-in-the-middle) attacks, it is necessary that the sample space for the m;'s be fairly large, say between 21°° and 2200. However, this is not difficult to achieve. For example, if the mi's are chosen non-negative with surn d, then the sample space has (d+K-11 - ( d+K-1 ) !
K-1 d!(K-1)!
elements. So if one takes K = 15 and d = 1024, for example, one gets a sample space with 21o3.s elements.
The public key size is KMzlog2(q) bits, and the private SUBSTITUTE SHEET (RULE 26) key size is 2MZlog2(pq) bits. Both of these are of a practical size.
Figure 2 illustrates a basic procedure that can be utilized with a public key encryption system, and refers to routines illustrated by other referenced flow diagrams which describe features in accordance with an embodiment of the invention. The block 210 represents the generating of the public key and private key information, and the "publishing"
of the public key. The routine of an embodiment hereof is described in conjunction with the flow diagram of Figure 3.
In the present example, it can be assumed that this operation is performed at the processor system 105. The public key information can be published; that is, made available to any member of the public or to any desired group from whom the private key holder desires to receive encrypted messages.
Typically, although not necessarily, the public key may be made available at a central public key library facility or website where a directory of public key holders and their public keys are maintained. In the present example, it is assumed that the user of the processor system 155 wants to send a confidential message to the user of processor system 105, and that the user of processor system 155 knows the published public key of the user of processor system 150.
The block 220 represents the routine that can be used by the message sender (that is, in this example, the user of processor system 155) to encode the plaintext message using the public key of the intended message recipient. This SUBSTITUTE SHEET (RULE 26) routine, in accordance with an embodiment of the invention, is described in conjunction with the flow diagram of Figure 4.
The encrypted message is then transmitted over the channel 50 (Figure 1).
The block 260 of Figure 2 represents the routine for the decoding of the encrypted message to recover the plaintext message. In the present example, this function is performed by the user of the processor system 105, who employs the private key information. The decoding routine, for an embodiment of the invention, is described in conjunction with the flow diagram of Figure 5.
Referring now to Figure 3, there is shown a flow diagram of the routine, as represented generally by the block 210 of Figure 2, for generating the public and private keys. The routine can be utilized, in the present example, for programming the processor 110 of the processor system 105.
The block 305 represents the choosing of integer parameters N, p, and q. As first described above, N determines the degree of the' polynomials f and g; to be generated, and p and q are, respectively, the two ideals used in producing the star products. The block 315 represents the selection of K, which is the number of polynomials gi to be used. In the simplified example above, K was 1, and it was noted that a particular exemplary relatively secure system could use K = 6. Next, the block 325 represents the choosing of random polynomials f, gl, g2...gK. The coefficients may, for example, be chosen using a random number generator, which can be implemented, in known SUBSTITUTE SHEET (RULE 26) fashion, using available hardware or software. In the present embodiment, each of the processor systems is provided with a random number generator, designated by the blocks 130 and 185 respectively, in Figure 1.
The block 340 represents application of the Euclidean algorithm to determine the inverses, Fq and Fp, in the manner described above, for the previously selected polynomial f, if such inverses exist. If Fp, Fq do not exist, the block 325 is re-entered, and a new polynomial f is chosen. The loop 330 is continued until polynomials are chosen for which the defined inverses can be computed. [The probability of the inverses existing for a given polynomial is relatively high, so a relatively small number of traversals through the loop 330 will generally be expected before the condition is met.] The block 350 is then entered, this block representing the computation of the public key, h in accordance with h = Fq*g (mod q) as first described above. [For K>1, there will be public key components hi for i - 1,2,...,K.] As represented by the block 360, the private key is retained as the polynomials f, FP, and the public key can then be published, as represented by the block 370.
Figure 4 is a flow diagram, represented generally by the block 240 of Figure 2, of a routine for programming a processor, such as the processor 160 of the processor system 155 (Figure 1) to implement encoding of a plaintext message m.
The message to be encoded is input (block 420) and a random SUBSTITUTE SHEET (RULE 26y polynomial m is chosen (block 430). [If K>1, then K random polynomials ral, m2, . . . , mK are chosen. ] The polynomial can be from the set ~0, as described above, and the random coefficients can be selected by any hardware or software means, for example the random number generator 185. The encoded message, e, can then be computed (block 450) as a = pm*h + m (mod q).
As first noted above, for K greater than 1, the encoded message would be a - pr~l*hl + p02*hz + . . . . + pmk*hk + m (mod q) .
The encoded message can be transmitted (block 460) over channel 50 to the keyholder who, in the present example, is the user of the processor system 105.
Figure 5 is a flow diagram represented generally in Figure 2 by the block 260, of a routine in accordance with an embodiment of the invention for decoding the encrypted message. The block 530 represents the receiving of the encrypted message, e. The retained private key information, which includes the previously defined polynomials f and Fp, and the integers N, p, and q, are fetched (block 550). Next, the block 570 represents the computation of a --__ f*e (mod q) .
The decoded message, designated here as m', can then be computed (block 580) as m' _ Fp * a ( mod p ) .
Figures 6, 7 and 8 are flow diagrams relating to the above-described matrix embodiment. Figure 6 is a flow diagram SUBSTTTUTE SHEET (RULE 26) of the routine, as represented generally by the block 210 of Figure 2, for generating the public and private keys. As above, the routine can be utilized, in the present example, for programming the processor 110 of the processor system 105.
The block 605 represents the choosing of integer parameters N, p, and q, where N is the number of matrix coefficients, and p and q are relatively prime integers. The block 615 represents the selection of K, which determines the number of matrices.
Next, the block 625 represents the choosing of random matrices f , g, wl, w2, . . . , wk, with the requirement that wl, wz, . . . , wK are all congruent to 0 modulo p. Again, the random number generator 130 (Figure 1) can be used for this purpose.
The block 640 represents determination of the previously defined matrices Fp, Fq, Gp and Gq. If these matrices do not exist, the block 625 is re-entered, and new matrices f and g are chosen. The loop 630 is continued until matrices are chosen for which the defined inverses can be computed. The block 650 is then entered, this block representing the computation of the public key, a list of K matrices (hl, h2, . . . , hK) determined by the condition hi - FqwiG~ (mod q) for i = 1, 2 , . . . , K.
As represented by the block 660, the private key is retained as the matrices (f, g, Fp, GP) and the public key can then be published, as represented by the block 670.
Figure 7 is a flow diagram, represented generally by the block 240 of Figure 2, of a routine for programming a processor, such as the processor 160 of the processor system SUBSTITUTE SHEET (RULE 26) 155 (Figure 1) to implement encoding of a plaintext message m using the technique of the present matrix embodiment. The message to be encoded is input (block 720) and the random integers asl, 02, . . . , mk are chosen (block 730) . The integers can be selected by the random number generator 185 (Figure 1).
The encoded message, e, can then be computed (block 750) as a - ralhl + m2h2 + . . . + mxhK + m (mod q) .
The encoded message can be transmitted (block 760) over channel 50, to the keyholder which, in the present example, is the user of the processor system 105.
Figure 8 is a flow diagram represented generally in Figure 2 by the block 260, of a routine for decoding the encrypted message in accordance with the present matrix embodiment. The block 830 represents the receiving of the encrypted message, e. The retained private key information, which includes the previously defined F, g, Fp and Gp, and the integers N, p, and q, are fetched (block 850). Then, the block 870 represents the computation of a - feg (mod q) .
Next, a is reduced modulo p to b (block 880) as b --__ a (mod p).
The decoded message is then computed (block 890) as m' _ FpbGp ( mod p ) .
The invention has been described with reference to particular preferred embodiments, but variations within the spirit and scope of the invention will occur to those skilled SUBSTITUTE SHEET (RULE 26) in the art. For example, it will be understood that the public or private keys can be stored on any suitable media, for example a "smart card", which can be provided with a microprocessor capable of performing encoding and/or decoding, so that encrypted messages can be communicated to and/or from the smart card.
SU85TTTUTE SHEET (RULE 26) NTRU: A RING-BASED PUBLIC KEY CRYPTOSYSTEM
JEFFREY HOFFSTEIN, ,TILL PIP HER, JOSEPH H. SILVERMAN
ABSTRACT. We describe NTRU, a new public key cryptosystem. NTRU
features reasonably short. easily created keys, high speed, and low memory requirements. NTRU encoding and decoding uses a mixing system suggested by polynomial algebra combined with a clustering principle based on elemen-tary probability theory. The security of the NTRU cryptosystem comes from the interaction of the polynomial mixing system with the independence of reduction modulo two relatively prime integers p and q.
CONTENTS
0. Introduction 1. Description of the NTRU Algorithm 2. Parameter Selection 3. Security Analysis 4. Implementation Considerations 5. Moderate Security Parameters For NTRU
6. Comparison With Other PKCS's Appendix A. An Elementary Lemma ~O. INTRODUCTION
There has been considerable interest in the creation of efficient and computationally inexpensive public key cryptosystems since Diffie and Hellman (4~ explained how such systems could be created using one-way functions. Currently, the most widely used pub-lic key system is RSA, which was created by Rivest, Shamir and Adelman in 1978 (10~
and is based on the difficulty of factoring large numbers. Other systems include the Typeset by ASS-TIC
SUBSTTTUTE SHE~'3'tRULE Z6) WO 98/08323 3p PCT/US97/15826 McEliece system (9~ which relies on error correcting codes, and a recent system of Gol-dreich, Goldwasser, and Halevi (5~ which is based on the difficulty of lattice reduction problems.
In this paper we describe a new public key cryptosystem, which we call the NTRU
system. The encoding procedure uses a mixing system based on polynomial algebra and reduction modulo two numbers p and q, while the decoding procedure uses an unmixing system whose validity depends on elementary probability theory. The security of the NTRU public key cryptosystem comes from the interaction of the polynomial mixing system with the independence of reduction modulo ,v and q. Security also relies on the (experimentally observed) fact that for most lattices, it is very difficult to find extremely short (as opposed to moderately short) vectors.
We mention that. the presentation in this paper differs from an earlier, widely circu-lated but unpublished, preprint (7~ in two major ways. First, we have introduced a new parameter K which can be used to produce systems with better operating characteris-tics. Second, the analysis of lattice-based attacks has been expanded and clarified, based largely on the numerous comments received from Don Coppersmith, Johan Hastad, and Adi Shamir in person, via email, and in the recent article (3~. We would like to take this opportunity to thank them for their interest and their help.
NTRU fits into the general framework of a probabilistic cryptosystem as described in (1~ and (6~. This means that encryption includes a random element, so each message has many possible encryptions. Encoding and decoding with NTRU are extremely fast, and key creation is fast and easy. See Sections 4 and 5 for specifics, but we note here that NTRU takes O(N2) operations to encode or decode a message block of length N, making it considerably faster than the O(N3) operations required by RSA. Farther, NTRU key lengths are O(N), which compares well with the O(NZ) key lengths required by other "fast" public keys systems such as (9, 5J.
~l. DESCRIPTION OF THE NTRU ALGORITHM
~1.1. Notation. An NTRU cryptosystem depends on four integer parameters (N, K, p, q) and three sets G9, G~, Gr" of polynomials of degree N - 1 with integer coefficients. We work in the ring R = 7~(X~/(XN - 1). An element F E R will be written as a polynomial or a vector, N
F _ FixN Z = (Fl ~ F2~ . . . , FN).
i=1 We write Q to denote multiplication in R. This star multiplication is given explicitly as a cyclic convolution product, k-1 N
F OO G = H with Hk = ~ FiGk_i -~ ~ FiGN+k-i = ~ FiGj.
i=1 j=k i~-j=_k (mod N) When we do a multiplication modulo (say) q, we mean to reduce the coefficients modulo q.
Remark. In principle, computation of a product F O G requires N2 multiplications. How-ever. for a typical product used by NTRU, one of F or G has small coefficients, so the SU8ST1TUTE SHEET (RULE 26) computation of F O G is very fast. On the other hand, if N is taken to be large, then it might be faster to use Fast Fourier Transforms to compute products F OO G in O(N log N) operations.
~1.2 Key Creation. To create an NTRU key, Dan randomly chooses K-I-1 polynomials f, gl, . . . , gx E G9. The polynomial f must satisfy the additional requirement that it have inverses modulo q and modulo ~. For suitable parameter choices, this will be true for most choices of f , and the actual computation of these inverses is easy using a modification of the Euclidean algorithm. We will denote these inverses by F9 and Fp, that is, Fq Q f - 1 (mod q) and Fr O f = 1 (mod ~). (1}
Dan next computes the quantities hi = F9 ~ gi (mod q), 1 < i < K. (2) Dan's public key is the list of polynomials (hl, h2, . . . , hx).
Dan's private key is the single polynomial f , although in practice he will also want to store Fp.
~1.3 Encoding. Suppose that Cathy (the encoder) wants to send a message to Dan (the decoder). She begins by selecting a message rn from the set of pla,intexts G,,,,. Next she randomly chooses K polynomials ~1, . . . , ~x E G~ and uses Dan's public key (hl, . . . , hx) to compute x a =- ~~~i O hi + m (mod q).
i=1 This is the encoded message which Cathy transmits to Dan.
~1.4 Decoding. Suppose that Dan has received the message a from Cathy and wants to decode it using his private key f . To do this efficiently, Dan should have precomputed the polynomial F~ described in Section 1.1.
In order to decode e, Dan first computes a - f ~ a (mod q), where he chooses the coefficients of a in the interval from -q/2 to q/2. Now treating a as a polynomial with integer coefficients, Dan recovers the message by computing F~ OO a (mod w).
Remark. For appropriate parameter values, there is an extremely high probability that the decoding procedure will recover the original message. However, some parameter choices may cause occasional decoding failure, so one should probably include a few check bits in each message block. The usual cause of decoding failure will be that the message is improperly centered. In this case Dan will be able to recover the message by choosing the coefficients of a = f O a (mod q) in a slightly different interval, for example from -q/2 + x to q/2 + x for some small (positive or negative} value of x. If no value of ~ works, then we say that we have gap failure and the message cannot be decoded as easily. For well-chosen parameter values, this will occur so rarely that it can be ignored in practice.
SUBSTITUTE SHEET (RULE 26) X1.5 Why Decoding Works. The polynomial a that Dan computes satisfies K
a = f OO a - ~ f ~ phi OO h.i + f O m (mod q) i=1 K
f ~ p~i ~ FQ O* gi + f ~ m (mod q) from {2), i=1 K
~p~i OO gi + f ~ m (mod q) from (1).
i=1 Consider this last polynomial K
~, p~i O gi -~ f *O m.
i=1 For appropriate parameter choices, we can ensure that (almost always) alI of its coefficients lie between -q/2 and q/2, so that it doesn't change if its coefficients are reduced modulo q.
This means that when Dan reduces the coefficients of f O a modulo q into the interval from -q/2 to q/2, he recovers exactly the polynomial K
a=~p~iOO gi+f Om in 7G(X~~{XN-1).
i=1 Reducing a modulo p then gives him the polynomial f Q m {mod p), and multiplication by F~, retrieves the message m (mod p).
~2 PARAMETER SELECTION
~2.1 Notation and a norm estimate. We define the width of an element F E R to be ~F~oo - lm~ ~Fi} - 1~ N{Fi}~
As our notation suggests, this is a sort of L°° norm on R.
Similarly, we define a centered L2 noun on R by ~F~z - C~{Fi - F)2 ' , where F = N ~ Fi.
z_i / i=i (Equivalently, ~F~2 /~ is the standard deviation of the coefficients of F.) SUBSTTTUTE SHEET (RULE 2fi~
Proposition. For any a > 0 there are constants cl, c2 > 0, depending on e. N
and K, such that for randomly chosen polynomials Fl, . . . , FK, Gl, . . . , GK E R, the probability is greater than 1 - c that they satisfy K K K
Cl ~ (Fi~2 ' ~Gi~2 C ~~ Fi O Gi < c2 ~ IFil2 ~ IGil2 .
i=1 z-1 ~ i=1 Of course, this proposition would be useless from a practical veiwpoint if the ratio c2/cl were very large for small c's. However, it turns out that even for moderately large values of N and K and very small values of e, the constants cl, c2 are not at all extreme.
We have verified this experimentally in a large number of situations and have an outline of a theoretical proof.
~2.2 Sample spaces. As examples of typical sample spaces, we will take G9 = {g E R : g has coefficients between -(r - 1)/2 and (r - 1}/2 inclusive}
GQ = {~ E R. : ~ has d coefficients equal 1, d coefficients equal -l, the rest Gm, _ {m E R : m has coefficients between -(s - 1}/2 and (s - 1)/2 inclusive Later we will see that there are various constraints which r, d, s must satisfy in order to achieve security. We also note that every ~ E G~ has L2 norm ~~~2 = 2d, while average elements g E G9 and m E G~,, have L2 norms ~g~2 = ~N(r2 - 1)/12 and ~m~2 =
N(s2 - 1}/12 respectively. To ease notation, we will write L9, L~, L".z for the average L2 norm of elements of G9, G~, G,r,, respectively.
Although it is not strictly necessary, we will make the additional assumption that L,,,,, ~ pL~ This assumption will make it easier to analyze possible lattice attacks, as well as making such attacks less effective. As an example, suppose we take d ~ N/4.
Then we would take s ~ ~p. So the natural mod p information contained in m would have to be "thickened" by randomly adding and subtracting p to coefficients of m.
X2.3 A decoding criterion. As described in ~1.5, Dan will be able to decode the en-coded message m provided that ~~ phi O gi -i- f O m~~ < q. We can use the inequality (3}
of the above Proposition (with K + 1 in place of K and for a suitably small choice of ~) to estimate x x ~p~i~gi'~f ~ml <C2~p~~i~2'~gi~2+Ifl2'Iml2 i=1 ~° i=1 c2L9(KpL~ + L",,) .~ cZpL9L~(K + 1} using the assumption L,,, ~ pL~
So in order to decode (with probability 1 - a}, Dan needs to choose parameters satisfying the decoding constraint c2pLsL~(K + 1) < q. (4) SUBSTITUTE SNEET (RULE Z6) ~3 SECURITY ANALYSIS
~3.1 Meet-in-the-middle attacks. For simplicity (and to aid the attacker), we assume K = 1, so an encoded message looks like a - ~ ~ h. + m (mod q). Andrew Odlyzko has pointed out that there is a meet-in-the-middle attack which can be used against ~, and we observe that a similar attack applies also to the private key f . Briefly, one splits f in half, say f = fl -i- f2, and then one matches fl Q a against - f2 p e, looking for ( fl, f2) so that the corresponding coefficients have approximately the same value. Hence in order to obtain a security level of (say) 2g°, one must choose f , g, and ~
from sets containing around 2lso elements.
~3.2 Multiple transmission attacks. Again for simplicity we assume that K = 1.
We observe that if Cathy sends a single message m several times using the same public key but different random ~'s, then the attacker Betty will be able to recover a large part of the message. Briefly, suppose that Cathy transmits ei - ~i~h+m (mod q) for i = 1, 2, . . . , r.
Betty can then compute (e2 - el) Q h-1 (mod q), thereby recovering ~i - ~1 (mod q).
However, the coefficients of the ~'s are so small that she recovers exactly ~i - ~1, and from this she will recover exactly many of the coefficients of ~1. If r is even of moderate size (say 4 or 5), Betty will recover enough of ~1 to be able to test all possibilities by brute force,thereby recovering m. Thus multiple transmission are not advised without some further scrambling of the underlying message. We do point out that even if Betty decodes a single message in this fashion, this information will not assist her in decoding any further messages.
~3.3 Lattice based attacks.
We begin with a few words concerning lattice reduction. The goal of lattice reduction is to find one or more ''small" vectors in a given lattice .A~1. In theory, the smallest vector in ./1~1 can be found by an exhaustive search, but in practice this is not possible if the dimension of .M is large. The LLL algorithm of Lenstra-Lenstra-Lovasz ~8~, with various improvements due to Schnorr (1 i, 12~ and others; will find small vectors of .N! in polynomial time, but for most lattices of large ( > 100, say) dimension, it will not find the smallest vector, and the gap between the smallest LLL-determinable vector and the actual smallest vector appears to increase exponentially with the dimension.
In order to describe the security of NTRU from lattice attacks, we consider the following three hypotheses on lattices of large dimension:
(Hi) For most lattices J1~1, the length ~{J~t) of the smallest non-zero vector of .M
satisfies dir~(.M) Disc(,M)1/dim(JLl) C ~(~) C dim(,/Vl) Disc(.M)lldim{.n~t) Hence if v E .M satisfies dim(JVl) D1SC(,M)l~dim(.n'1)' ire then v will be hidden in a cloud of exponentially many vectors of approximately the same length.
SUBSTITUTE SHEET (RULE 26) (H2 ) Suppose that the lattice Jlil has a vector w which is smaller than the shortest expected vector described by (H1 ), but that .M is otherwise a ''random"
lattice.
If w satisfies Iwl > h-dim(Jv1) dim(.M) D1SC(./~)l~dim(.M) ire then lattice reduction is highly unlikely to find w.
(H3) Suppose we are in the situation of (H2). Then the smallest non-zero vector vLLL computed by lattice reduction methods is almost certain to satisfy VLLLI ~ ~dim(M)~w~, Remark. The lattice reduction constant ~ which appears in hypotheses (H2) and (H3) must be determined by experimentation and experience. This is similar to the situation with the RSA PKCS, where security rests on estimating current capabilities for factoring products pq. It is even more closely analogous to the PKCS described in (5~, whose security is directly linked to the difficulty of finding small (almost orthogonalized) bases for lattices. Experiments with lattices of large ( > 100) dimension suggest that one can take r~ = 1.51100. (See, for example, (11~ and (12~.) And just as future advances in factorization will require the use of larger primes in the RSA PKCS, so future advances in lattice reduction will undoubtedly require using a smaller value of ~ and correspondingly larger parameters in NTRU. We also mention that we will only need to assume hypotheses (HZ) and (H3) for lattices of dimension greater than 700. For lattices of such high dimension, even the LLL algorithm with Schnorr's block reduction improvement takes quite a long time. If we are willing to assume hypotheses (H2) and (H3) for lattices of dimension around 300, we can choose NTRU parameters with even better operating characteristics.
~3.3.1 Small lattice attack on the key f . We begin with what is probably the most natural lattice, namely we take any one of the hi's and search for the small vector f with the property that hi ~ f {mod q) is also small. To do this, we write h~ _ (hil, . . . , hiN~
and consider the lattice ,M generated by the columns of the following matrix:
a 0 ~~~ 0 0 0 ~~~ 0 0 a ~~~ 0 0 0 ~~~ 0 _ 0 0 ~-~ a 0 0 ~~~ 0 h; hit . . . hiN q 0 . . . 0 l hit hi3 ... hil 0 q ... 0 hiN hil ... hi,N-1 0 0 ... q With an eye towards future notational convenience, we will write this matrix as M _ ~ aI 0 iti qI
SUBSTITUTE SHEET (RULE 26) The quantity ~ will be chosen by the attacker to optimize the attack. We observe that .~1~( satisfies dim(.M) = 2N and Disc(,M) = aNqN.
There are two issues to consider. First, is the actual key f embedded in .M as a short vector. Notice that Jv( contains the target vector vtarg=~~fN~~~~ >~flogil~~~~ ~9iN~~
and knowledge of vtarg allows recovery of f . However, we can compute the length of vtarg aS
wtarg~2 = ~~f 12 + ~gi~2 - L9 ~2 '+ 1.
Hypothesis (Hi) says that f is safe from attack if wtarg~2 satisfies the inequality ~vtarg~2 > dim(.M) Disc(,M)l~dim(JVl) - 2N~q ~e ire In other words, we need Lg ~ + a-1 > 2Nq.
~e The optimal .~ from the attacker's viewpoint is .~ = 1 (see Lemma A.l), since she wants to minimize the left-hand side. So we will be safe provided ~eL9 q~ N
A second consideration is whether some other small vector in ,M might allow the attacker to decode the message. Thus any small vector ~ f', g'~ E .NL has the property that f' and hi OO f' = g' (mod q) are both small. However, if the attacker computes x a OO f' _ ~ P~~ ~ hj OO f' -!- m ~ f' (mod q), j=1 only the term with j = i will have small coefficients modulo q. Hence an f' which makes a single hi small will not act as a decoding key. This suggests that we look at all of the h,j's simultaneously, which leads us to the next lattice.
~3.3.2 Big lattice attack on the key f . Rather than using only one of the hi's, the attacker can instead form a lattice using some subset of the hi's. Relabeling, we will assume that the attacker uses hl, . . . , hk for some 1 < k G K and forms the lattice .M
generated by the columns of the matrix ~I 0 0 0 ~~~0 hl qI 0 0 ~~-0 0 qI 0 ~~~0 h3 0 0 qI ~~~0 h,~ 0 0 0 ~~~qI
SUBSTITUTE SHEET (RULE 26) (We are using the abbreviated notation from the previous section.) This lattice satisfies dim(.M) _ (k + 1)N and Disc(~l~t) _ ,~NqkN
It contains the target vector (using the obvious shorthand) '~targ = ~~.f, 91 > 92, . . . , 9k~.
(More precisely, the coordinates of f need to be reversed.) This target vector has length Ivtargl2 = ~~f 12 + 19112 + . . . I9k12 = L9 ~2 + k.
Hypothesis (H2) says that lattice reduction will not be able to find vtarg provided that its length satisfies Ivtargl2 > I~-dim(Nt) dim(,M) D1SC(./~)1/dim(~l~t) ~e _ ~-(k+1)N (k + 1)N _ ~1/(k+1)qk/(k+i) ~e So we will be safe from attack if L9 ,~2k/(k+1) - k,~-2/(k+1) ] ~-(k+1)N (k + 1)Nqk/(k+1) - ire As before, the attacker will choose a to minimize the left-hand side. Again it turns out that .~ = 1 gives the minimum (See Lemma A.1), so the actual key will be safe under Hypothesis (H2 ) provided qk/(k+1) ~ ~(k+1)NL9 ~
N
X3.3.3 Big lattice attack on a spurious key f . Rather than searching for the true key f , the attacker might try to find some other key F which acts as a decoding key. In order to be a spurious key, F itself and also each of the products h~ ~ F (mod q) must be small. More precisely, suppose that the attacker finds an F and computes G~ - h~ OO F (mod q) for j = l, 2, . . . , K.
We would like to know that the width (L°° norm) of an expression ~1~G1+200 G2+...+~KOO GK+rrtOO F
is generally at least Wq for some wrapping factor W. (We will discuss in Section 4 the question of how large W must. be for for the system to be secure.) SUBSTITUTE SHEET (RULE 26) In order to try to find a spurious key F, the attacker will take the lattice .M described in Section 3.3.2 and use lattice reduction techniques to find a small vector vLLL ~ The smallest non-zero vector in NI is the vector vtarg = (~f, 9m . . . , gx~, so Hypothesis (H3) says that ~VLLLI2 ~ I~~K+1)N Ivtargl2.
Writing VLLL = (~F, G1, G2, . . . , GxJ, we find that ~2~F~2 + IG1IZ ~- . . . + IGxI~ ~ I~~K+1)NL9 ~2 +. K.
The vector vLLL obtained by lattice reduction will have components whose size is more-or-less randomly distributed. In particular, all of the lengths ~~F~2 , ~G1 ~z , . . . , ~Gx~2 will be approximately the same, so we obtain (approximately) ~F 2 i IG1 2 ~ .. . , IGK12 ~ l~~K+1)NLg.
On the other hand. we can use this and (3) to estimate C~lOGl+~2~G2+~~~+~KOGx+m~F~~
~ Cl (I~ll2 ~ IGll2 -f- . . . -f- I~KI2 ~ ~~'K~2 + ~m~2 ~ ~~' ~2~
-ClL~lIG112+~..+(GK12+~F~2~
> Cl (K + 1)L~L9l~~K+1)N.
So the spurious key will fail with wrapping factor W provided the parameters are chosen to satisfy Wq < cl(~~ + 1)L~L9~~K+i)N. (7) (This may be compared with the decoding inequality (4).) ~3.3.4 Big lattice attack on an individual message. There is one other sort of lattice attack which must be considered. Rather than looking for a key which decodes every message, an attacker can construct a lattice to search for an individual message.
Consider the following lattice, which is similar to the one used in Section 3.3.2. Let J1~1 be the lattice generated by the columns of the matrix aI 0 0 0 -~- 0 0 0 ~1 0 0 ~ 0 0 0 0 ~I 0 --~ 0 0 0 0 0 aI -- 0 0 Pl~i ~~a Ph3 ... phx qI
SUBSTITUTE SH EET (RULE 2fi) This lattice satisfies dim(.M) _ (K + 1)N and Disc(.M) - ~xNqN
and contains (using the obvious notation) the vector (~~t > ~~z, . . . , ~~x, a - m~. (8) It contains this vector because the encoded message e. was constructed according to the rule py OO hl + p~2 *O hz + ~ ~ ~ + pox *O hx + m = a (mod q).
Clearly (8) is not likely to be a short vector, since the coefficients of a -m (mod q) will not be small. However, the attacker knows the value of e, so she can search for a vector in Jl~l which is close to the known non-lattice vector ~0, 0, . . . , 0, e~. The distance from the sought for lattice vector and the known non-lattice vector is the length of the vector vtarg = ~~~i> ~~2> . . . , ~l~x, -m~.
This is an example of an inhomogeneous lattice problem. Inhomogeneous problems tend to be somewhat harder than homogeneous problems, but to err on the side of caution, we will assume that the attacker can solve inhomogeneous problems to the exact same degree she can solve homogeneous problems. So we need to see if the attacker can find a vector of length Ivtargl2 = L~ K~2 + p2 {Remember that ~Tn~z = p ~~~z for every m E G.",, and every ~ E G~.) According to Hypothesis (H2), the attack will fail provided that Ivtar , > /~-dim(N!) dim(.Nl) DisC(./1~()l~dim(M)~
ire or in other words, if L~ K~12~(K+1) + p2~-2K/(K+1) > ,~-(x+i)N {K + 1)Nql~(x+i), - ire The attacker will minimize the left-hand side by taking a = p (see Lemma A.l), so the attack will fail provided ql~(x+1) ~ ~(x+1)NL~ ~epl~(x+y.
- N
This may be compared with (6), which it complements.
SUBSTITUTE SHEET (RULE 26) ~3.3.5 Summary of lattice attack parameter constraints. In the preceding parts of this section we have described various lattice attacks and devised constraints on the parameters which prevent these attacks from succeeding. There remains the question of whether there exist any choices of parameters which satisfy all of the constraints. For the convenience of the reader, we list here all of the inequalities from this section, together with the fundamental inequality (4) which is necessary if the owner of the true key f is to be able to decode messages.
c2pL9L~(K + 1) < q.
~reLg q c N ~ (5) qk/(k+1) < ~(k+1)NL9 N for every 1 < k < K.
Wq < W (K + 1 )L~L9~(K+1)m (7) qll(x+1) < ~(x+i)NL~ ~epy(x+1).
- N
We observe that for any fixed values cl, c2, p, L~ > 0 and p, r~, W > 1, there always exist solutions N, K, L9, q to these inequalities. We now make a few remarks to assist in finding solutions.
We begin by combining these inequalities in various ways. First combining (4) and (7) gives (after some algebra) (K + 1 )N > log(ci lc2pW) . {10) log ~c Note we have (essentially) no freedom in choosing cl, c2, and ~, and that W
will be chosen between 5 and 10 depending on the level of security desired. This leaves the choice of p, which will normally be fairly small. The point here is that (10) gives a lower bound for (K + 1)N over which we have very little control.
Next we combine (4) and (5) to get L > c2p(K+ 1)NL . 11 s ~e ~ { ) In order to have some flexibility in the choice of q, it is a good idea to take L9 to be (say) 1.5 to 2 times larger than this prescribed lower bound.
For example, if G~ and G9 are as described in Section 2.2, then L~ = 2d and most g E G9 satisfy ~g~2 :., L9 = N(r2 - 1)/12. So after using {11) to choose L9, we can take r = LLg 12/N~ , and then most g E G9 will have L2 norm very close to the desired L9. F~lrther, since the code creator Dan is the only one who chooses elements from G9, and since these choices only need to be made once, it won't be hard for him to find the necessary K -f- 1 polynomials in G9 with norm approximately L9; and even with the length restriction, the number of such polynomials in Gg is astronomically larger than an attacker can check via exhaustive search, since in practice rN tends to be at least 2500.
SUBSTITUTE SHEET (RULE 2fi) ~4 IMPLEMENTATION CONSIDERATIONS
~4.1 Security and Wrapping Factors. Recall that the wrapping factor W controls how much wrapping the attacker can expect when she uses a spurious key produced by lattice reduction. If W is too small, for example W = 1.5, then the attacker will be able to recover many (maybe even most) of the coefficients, because their values tend to cluster around the mean. More precisely, the attacker will recover (say) 0.95N linear equations for the N unkown coefficients, and then a brute-force search finishes the attack.
Coppersmith and Shamir (3J have observed that even if W is a bit larger than this, say W = 2.5, then the clustering allows the attacker to obtain approximately 0.67N
linear equations for the N unknowns. They then observe that if the attacker constructs two independent spurious keys and applies them, she might obtain sufficiently many independent equations to solve the system. They further note that if W = 4, then using several short. vectors might allow the attack to succeed by employing some sort of error-correcting technique, but that if W is as large as 10, then this sort of attack will not succeed. We refer the reader to (3~ for details.
Based on these considerations, we will use a wrapping factor of W = 10 to construct sample operating parameters.
~4.2 Sample Operating Parameters. In this section we will work out two sets of us-able parameters for the NTRU PKCS which are secure under the hypotheses of Section 3.
These parameter sets lead to a fairly high message expansion, so we refer the reader to Section 4.3 below for a two-stage version of NTRU which reduces the message expansion to a managable 2-to- 1.
We begin with three values forced on us by experimental evidence, and a fourth value chosen to ensure sufficient wrapping to foil a spurious key attack:
cl = 0.08, c2 = 0.24, W = 10 ~ = 1.51/100 1.0040628823.
The values of cl and c2 have been determined by extensive numerical testing in the desired ranges: but we also have a fairly good idea how to give them a probabilistic justification.
The wrapping factor W = 10 was discussed above in Section 4.1. Finally, the choice of the lattice reduction constant ~ has already been discussed in the remark in Section 3.3, although to guard against future improvements in lattice reduction technology, the se-curity conscious user might instead take ~ = 1.31/100 with minor changes in the other parameters.
We consider first the choice p = 2. The inequality (10) from Section 3.3.5 tells us that we need to take (K + 1)N > 1009.79, so we will let N=167 and K=6.
(It is convenient, but not necessary, to have N and (N - 1 ) /2 both prime. ) This choice will provide sufficient leeway for choosing the remaining coefficients.
We take G~ as in Section 2.2 with d = 20, so #G~ = 167!/20! ~ 20! ~ 127! ~
2165.85 which provides sufficient security against meet-in-the-middle attacks.
Further, L~ _ SUBSTITUTE SHEET (RULE 26) 2d .': 6.325, and substituting these choices into (11) gives Lg > 414.07. To provide some leeway, we take r = 167, which makes the expected value of L9 equal to 622.98.
Finally, our five fundamental inequalities from Section 3.3.5 tell us that q must satisfy 213.6924 ~ q < maX~ 214.2766 ~ 214.7278' 214.6238' 252.481 ~ .
(Of course, the inequality (6k) in Section 3.3.5 is really 6 inequalities, one for each 1 <_ k < 6.) Thus we can take q = 214 - 1 = 16383. (Note that gcd(p, q) = 1 is required.) To recapitulate, assuming the hypotheses of Section 3.3, the following parameters give a secure NTRU PKCS:
N=167, l~=6, q=16383=214-1, p=2, r=167, d=20, s=3, where the sets G~, Gg, Gm are chosen as described in Section 2.2. For these parameters we have Public key length = Nk log2 q = 14028 bits Private key length = N loge pr = 1400 bits Message expansion = log q/ log p = 14-to-l Using a similar analysis, we construct a second set of secure NTRU parameters with a larger value of p. These parameters seem well suited to current microprocessors, since all operations are on numbers smaller than 216, and q is a power of 2, so division by q with remainder is a simple shift operation. We take N=167, K=6, q=216, p=3, r=354, d=40, s=7.
These parameters give #G~ = 167!/40! ~ 40! ~ 87! ~. 2239.3 and Public key length = NK log2 q = 16032 bits Private key length = N loge pr = 1678 bits Message expansion = log q/ log p = 10.1-to-1 ~4.3 Two-Stage NTRU and Improved Message Expansion. The NTRU PKCS's for the sample parameters presented in Section 4.2 have rather large message expansions.
One method to decrease this expansion is to use a larger value of p, but this leads to significantly larger values for (K + 1)N, which in turn increases both key sizes and decreases computational efficiency.
Another method to decrease message expansion is to use each NTRU message as a sort of one-time-pad to encode the actual message. In this two-stage version of NTRU, the encoder Cathy chooses a random polynomial m E G,",,, while her actual plaintext message M is allowed to be any polynomial modulo q. To encode her message, she computes the two quantities x a = ~ phi OO hi + rn (mod q) and E - m ~ hl + M (mod q).
i=1 SUBSTITUTE SHEET (RULE 26) The encoded message is the pair (e, E).
The decoding process is similar to before, but with one extra step. Thus the decoder Dan follows the procedure described in Section 1.4 to compute the polynomial m. He then recovers the message by computing E - m OO hl (mod q).
We observe that the plaintext message M has length N loge q bits, while the encoded message (e, E) has length 2N loge q bits, so message expansion is down to 2-to-1.
We make one further remark. Cathy is using the same polynomial and modulus to encode both m and M. We do not believe that this compromises security, but for added security she could compute E - mOH+M (mod Q) for a different (public) polynomial H
and modulus Q.
~4.4 Theoretical Operating Specifications. In this section we consider the theo-retical operating characteristics of the NTRU PKCS. There are four integer parame-ters (N, K, p, q), three sets G9, G~, G,",, determined respectively by integers r. d, s as de-scribed in Section 2.2, three experimentally determined constants cl, c2, r~, and a wrapping constant W. To ensure security, these parameters must be chosen to satisfy the inequal-ities listed in Section 3.3.5. The following table summarizes the NTRU PKCS
operating characteristics in terms of these parameters.
Plain Text Block N loge p bits Encoded Text Block N Iog2 q bits Encoding Speed* O(KN2) operations Decoding Speed O(NZ) operations Message Expansion logy q-to-l Private Key Length N loge pr bits Public Key Length KN log2 q bits ' Precisely, 4FCN2 additions and ffN divisions by q with remainder For Two-Stage NTRU as described in Section 4.4, the following items change:
Plain Text Block N loge q bits Encoded Text Block2N loge q bits Message Expansion2-to-l ~4.5 Other Implementation Considerations. We briefly mention some additional factors which should be considered when implementing NTRU.
(1) It is important that gcd(q,p) = 1. Although in principle NTRU will work without this requirement, in practice having gcd(q, P) > 1 will decrease security. At the ex-treme range, if p~q, then (exercise) the encoded message a satisfies a - m (mod ~), so it is completely insecure.
SUBSTITUTE SH~~T (RULE Z6) (2) We want most f's to have inverses modulo p and modulo q, since otherwise it will be hard to create keys. A first necessary requirement is that gcd( f (1 ), pq) = l, but if this fails for some chosen f , the code creator can instead use, say, f (X ) -~ 1 or f {X ) - 1. Assuming gcd( f ( 1), pq) = 1, virtually all f 's will have the required inverses if we take N to be a prime and require that for each prime P dividing p and q, the order of P in (7G/N7G)* is large, say either N - 1 or (N - 1)/2.
For example, this will certainly be true if (N - 1)/2 is itself prime (i.e., N is a Sophie Germain prime). Examples of such primes include 107 and 167.
~5 MODERATE SECURITY PARAMETERS FOR NTRU
There are many situations in the real world where high speed and/or low memory requirements are important and a moderate level of security is acceptable. In this context, we observe that actual lattice reduction methods (lI, 12~ are extremely CPU
intensive and that. in practice. it requires a large expenditure of computer time to perform a lattice reduction on a lattice of dimension 200 to 300. Of course, "large'' here is a relative term, but it would probably not be worthwhile to perform a 300 dimensional lattice reduction to steal something worth a fraction of a cent, and it would certainly be very expensive (if not completely infeasible) using current methods to perform such a lattice reduction in a short period of time (say a few minutes). Thus it is worthwhile creating a set of NTRU
parameters which can be used in situations where one is willing to allow the possibility of large dimensional lattice attacks.
If we eliminate the parameter constraints coming from lattice attacks, we are left with only the decoding constraint c2pL9L~(K + 1) < q (4) and the condition that the search spaces for f , g, and ø are large enough to prevent a brute-force (or possibly a meet-in-the-middle) attack. For simplicity, we will take K = 1.
We will take all of f, g, ~ to be in the set G~, which is the set of polynomials with d coefficients equal to 1, d coefficients equal to -1, and the other N - 2d coefficients equal to 0. (More precisely, since we need f to be invertible modulo p and q, we will take f to have an extra 1 coefficient, but this will have little effect on the subsequent analysis, so we will ignore it. ) Using c2 = 0.24 as usual, the decoding constraint becomes simply q > 2pd.
(4) Our other constraint is N N! > 2aa Cd; d; N - 2d~ _ (d!)2(N - 2d)!
where Q is the desired security level. We note that for moderate security implementations, a security level of around 24° will generally suffice, so we will take Q .:; 40.
The following table gives some acceptable operating parameters for a moderate security implementation of NTRU. In evaluating the security, we note that available lattice attacks use a lattice of dimension 2N. We also note that the listed value of q is the smallest SUBSTITUTE SHEET (RULE 26) allowed, but that a somewhat larger q satisfying gcd(p, q) = 1 is acceptable.
In particular, especially fast implementations are available by taking q = 64.
N d Q p q 107 9 41.11 2 37 107 9 41.11 3 55 167 7 38.98 2 29 167 7 38.98 3 43 263 7 43.72 2 29 263 7 43.72 3 43 Finally, we observe that the key sizes are very small, Public Key: N loge (q) bits Private Key: 2N loge (p) bits For example. (N, d, p, q) _ (167, 7, 3, 64) gives a system with public and private keys of lengths 1002 bits and 530 bits respectively.
~6 COMPARISON WITH OTHER PKCS'S
There are currently a number of public key cryptosystems in the literature, including the system of Rivest, Shamir, and Adelman (RSA ~10~) based on the difficulty of factoring, the system of McEliece (9~ based on error correcting codes, and the recent system of Goldreich, Goldwasser, and Halevi (GGH ~5~) based on the difficulty of finding short almost-orthogonalized bases in a lattice.
The NTRU system has some features in common with McEliece's system, in that OO
-multiplication in the ring R can be formulated as multiplication of matrices (of a special kind), and then encoding in both systems can be written as a matrix multiplication E = AX + Y. where A is the public key. A minor difference between the two systems is that for an NTRU encoding, Y is the message and X is a random vector, while the McEliece system reverses these assignments. But the real difference is the underlying trap-door which allows decoding. For the McEliece system, the matrix A is associated to an error correcting (Goppa) code, and decoding works because the random contribution is small enough to be "corrected" by the Goppa code. For NTRU, the matrix A is a circulant matrix, and decoding depends on the decomposition of A into a product of two matrices having a special form, together with a lifting from mod q to mod p.
As far as we can tell, the NTRU system has little in common with the RSA
system.
Similarly, although the NTRU system must be set up to prevent lattice reduction attacks, its underlying decoding method is very different from the GGH system, in which decoding is based on knowledge of short lattice bases. In this aspect, GGH actually resembles the McEliece system, since in both cases decoding is performed by recognizing and eliminating a small random contribution. Contrasting this, NTRU eliminates a much larger random contribution via divisibility (i.e., congruence) considerations.
SUBSTITUTE SHEET (RULE 26~
WO 98!08323 PCTIU597/15826 The following table compares some of the theoretical operating characteristics of the RSA, I~'IcEliece, GGH, and NTRU cryptosystems. In each case the number N
represents a natural security/message length parameter.
NTRU RSA McEliece GGH
Encoding Speed NZ N2 N2 N2 Decoding Speed N2 N3 N2 N2 Public Key N N N2 N2 Private Key N N NZ N2 Message Expansion 2-1 1-1 2-1 1-1 SUBSTITUTE SHEET (RULE 26) APPENDIX A. AN ELEMENTARY LEMMA
The following result is useful for optimizing lattice attacks.
Lemma A.1. For all A, B, a, /~ > 0 with a + ~3 = 1, ApBa inf Axa + Bx-a =
a>0 aea~Q ' with the infimum occurring at x = ~3B/aA.
Proof. Let f (x) = Axa + Bx-A. Then f'(x) = cxAxa-1 - ~3Bx-~-1 = xA+1 (aAx -/38).
So the absolute minimum is at x = ,QB/aA. (Note that f {x) -~ oo as x --> 0+
and as x --~ oo. ) REFERENCES
1. M. Blum, S. Goldwasser, An ef~'tcient probabilistic public-key encryption scheme which hides all partial information, Advances in Cryptology: Proceedings of CRYP-TO 84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1985, pp.
299.
2. H. Cohen, A course in computational algebraic number theory, Graduate Texts in Math., vol. 138, Springer Verlag, Berlin, 1993.
3. D. Coppersmith, A. Shamir, Lattice attacks on NTR U, Preprint, April 5, 1997;
presented at Eurocrypt 97.
4. W. Diffie, M.E. Heilman, New directions in cryptography, IEEE Trans. on Informa-tion Theory 22 (1976), 644-fi54.
5. O. Goldreich, S. Goldwasser, S. Halevi, Public-key cryptosystems from lattice reduc-tion problems, MIT - Laboratory for Computer Science preprint, November 1996.
6. S. Goldwasser and A. Micali, Probabilistic encryption, J. Computer and Systems Science 28 (1984), 270-299.
There has been considerable interest in the creation of efficient and computationally inexpensive public key cryptosystems since Diffie and Hellman (4~ explained how such systems could be created using one-way functions. Currently, the most widely used pub-lic key system is RSA, which was created by Rivest, Shamir and Adelman in 1978 (10~
and is based on the difficulty of factoring large numbers. Other systems include the Typeset by ASS-TIC
SUBSTTTUTE SHE~'3'tRULE Z6) WO 98/08323 3p PCT/US97/15826 McEliece system (9~ which relies on error correcting codes, and a recent system of Gol-dreich, Goldwasser, and Halevi (5~ which is based on the difficulty of lattice reduction problems.
In this paper we describe a new public key cryptosystem, which we call the NTRU
system. The encoding procedure uses a mixing system based on polynomial algebra and reduction modulo two numbers p and q, while the decoding procedure uses an unmixing system whose validity depends on elementary probability theory. The security of the NTRU public key cryptosystem comes from the interaction of the polynomial mixing system with the independence of reduction modulo ,v and q. Security also relies on the (experimentally observed) fact that for most lattices, it is very difficult to find extremely short (as opposed to moderately short) vectors.
We mention that. the presentation in this paper differs from an earlier, widely circu-lated but unpublished, preprint (7~ in two major ways. First, we have introduced a new parameter K which can be used to produce systems with better operating characteris-tics. Second, the analysis of lattice-based attacks has been expanded and clarified, based largely on the numerous comments received from Don Coppersmith, Johan Hastad, and Adi Shamir in person, via email, and in the recent article (3~. We would like to take this opportunity to thank them for their interest and their help.
NTRU fits into the general framework of a probabilistic cryptosystem as described in (1~ and (6~. This means that encryption includes a random element, so each message has many possible encryptions. Encoding and decoding with NTRU are extremely fast, and key creation is fast and easy. See Sections 4 and 5 for specifics, but we note here that NTRU takes O(N2) operations to encode or decode a message block of length N, making it considerably faster than the O(N3) operations required by RSA. Farther, NTRU key lengths are O(N), which compares well with the O(NZ) key lengths required by other "fast" public keys systems such as (9, 5J.
~l. DESCRIPTION OF THE NTRU ALGORITHM
~1.1. Notation. An NTRU cryptosystem depends on four integer parameters (N, K, p, q) and three sets G9, G~, Gr" of polynomials of degree N - 1 with integer coefficients. We work in the ring R = 7~(X~/(XN - 1). An element F E R will be written as a polynomial or a vector, N
F _ FixN Z = (Fl ~ F2~ . . . , FN).
i=1 We write Q to denote multiplication in R. This star multiplication is given explicitly as a cyclic convolution product, k-1 N
F OO G = H with Hk = ~ FiGk_i -~ ~ FiGN+k-i = ~ FiGj.
i=1 j=k i~-j=_k (mod N) When we do a multiplication modulo (say) q, we mean to reduce the coefficients modulo q.
Remark. In principle, computation of a product F O G requires N2 multiplications. How-ever. for a typical product used by NTRU, one of F or G has small coefficients, so the SU8ST1TUTE SHEET (RULE 26) computation of F O G is very fast. On the other hand, if N is taken to be large, then it might be faster to use Fast Fourier Transforms to compute products F OO G in O(N log N) operations.
~1.2 Key Creation. To create an NTRU key, Dan randomly chooses K-I-1 polynomials f, gl, . . . , gx E G9. The polynomial f must satisfy the additional requirement that it have inverses modulo q and modulo ~. For suitable parameter choices, this will be true for most choices of f , and the actual computation of these inverses is easy using a modification of the Euclidean algorithm. We will denote these inverses by F9 and Fp, that is, Fq Q f - 1 (mod q) and Fr O f = 1 (mod ~). (1}
Dan next computes the quantities hi = F9 ~ gi (mod q), 1 < i < K. (2) Dan's public key is the list of polynomials (hl, h2, . . . , hx).
Dan's private key is the single polynomial f , although in practice he will also want to store Fp.
~1.3 Encoding. Suppose that Cathy (the encoder) wants to send a message to Dan (the decoder). She begins by selecting a message rn from the set of pla,intexts G,,,,. Next she randomly chooses K polynomials ~1, . . . , ~x E G~ and uses Dan's public key (hl, . . . , hx) to compute x a =- ~~~i O hi + m (mod q).
i=1 This is the encoded message which Cathy transmits to Dan.
~1.4 Decoding. Suppose that Dan has received the message a from Cathy and wants to decode it using his private key f . To do this efficiently, Dan should have precomputed the polynomial F~ described in Section 1.1.
In order to decode e, Dan first computes a - f ~ a (mod q), where he chooses the coefficients of a in the interval from -q/2 to q/2. Now treating a as a polynomial with integer coefficients, Dan recovers the message by computing F~ OO a (mod w).
Remark. For appropriate parameter values, there is an extremely high probability that the decoding procedure will recover the original message. However, some parameter choices may cause occasional decoding failure, so one should probably include a few check bits in each message block. The usual cause of decoding failure will be that the message is improperly centered. In this case Dan will be able to recover the message by choosing the coefficients of a = f O a (mod q) in a slightly different interval, for example from -q/2 + x to q/2 + x for some small (positive or negative} value of x. If no value of ~ works, then we say that we have gap failure and the message cannot be decoded as easily. For well-chosen parameter values, this will occur so rarely that it can be ignored in practice.
SUBSTITUTE SHEET (RULE 26) X1.5 Why Decoding Works. The polynomial a that Dan computes satisfies K
a = f OO a - ~ f ~ phi OO h.i + f O m (mod q) i=1 K
f ~ p~i ~ FQ O* gi + f ~ m (mod q) from {2), i=1 K
~p~i OO gi + f ~ m (mod q) from (1).
i=1 Consider this last polynomial K
~, p~i O gi -~ f *O m.
i=1 For appropriate parameter choices, we can ensure that (almost always) alI of its coefficients lie between -q/2 and q/2, so that it doesn't change if its coefficients are reduced modulo q.
This means that when Dan reduces the coefficients of f O a modulo q into the interval from -q/2 to q/2, he recovers exactly the polynomial K
a=~p~iOO gi+f Om in 7G(X~~{XN-1).
i=1 Reducing a modulo p then gives him the polynomial f Q m {mod p), and multiplication by F~, retrieves the message m (mod p).
~2 PARAMETER SELECTION
~2.1 Notation and a norm estimate. We define the width of an element F E R to be ~F~oo - lm~ ~Fi} - 1~ N{Fi}~
As our notation suggests, this is a sort of L°° norm on R.
Similarly, we define a centered L2 noun on R by ~F~z - C~{Fi - F)2 ' , where F = N ~ Fi.
z_i / i=i (Equivalently, ~F~2 /~ is the standard deviation of the coefficients of F.) SUBSTTTUTE SHEET (RULE 2fi~
Proposition. For any a > 0 there are constants cl, c2 > 0, depending on e. N
and K, such that for randomly chosen polynomials Fl, . . . , FK, Gl, . . . , GK E R, the probability is greater than 1 - c that they satisfy K K K
Cl ~ (Fi~2 ' ~Gi~2 C ~~ Fi O Gi < c2 ~ IFil2 ~ IGil2 .
i=1 z-1 ~ i=1 Of course, this proposition would be useless from a practical veiwpoint if the ratio c2/cl were very large for small c's. However, it turns out that even for moderately large values of N and K and very small values of e, the constants cl, c2 are not at all extreme.
We have verified this experimentally in a large number of situations and have an outline of a theoretical proof.
~2.2 Sample spaces. As examples of typical sample spaces, we will take G9 = {g E R : g has coefficients between -(r - 1)/2 and (r - 1}/2 inclusive}
GQ = {~ E R. : ~ has d coefficients equal 1, d coefficients equal -l, the rest Gm, _ {m E R : m has coefficients between -(s - 1}/2 and (s - 1)/2 inclusive Later we will see that there are various constraints which r, d, s must satisfy in order to achieve security. We also note that every ~ E G~ has L2 norm ~~~2 = 2d, while average elements g E G9 and m E G~,, have L2 norms ~g~2 = ~N(r2 - 1)/12 and ~m~2 =
N(s2 - 1}/12 respectively. To ease notation, we will write L9, L~, L".z for the average L2 norm of elements of G9, G~, G,r,, respectively.
Although it is not strictly necessary, we will make the additional assumption that L,,,,, ~ pL~ This assumption will make it easier to analyze possible lattice attacks, as well as making such attacks less effective. As an example, suppose we take d ~ N/4.
Then we would take s ~ ~p. So the natural mod p information contained in m would have to be "thickened" by randomly adding and subtracting p to coefficients of m.
X2.3 A decoding criterion. As described in ~1.5, Dan will be able to decode the en-coded message m provided that ~~ phi O gi -i- f O m~~ < q. We can use the inequality (3}
of the above Proposition (with K + 1 in place of K and for a suitably small choice of ~) to estimate x x ~p~i~gi'~f ~ml <C2~p~~i~2'~gi~2+Ifl2'Iml2 i=1 ~° i=1 c2L9(KpL~ + L",,) .~ cZpL9L~(K + 1} using the assumption L,,, ~ pL~
So in order to decode (with probability 1 - a}, Dan needs to choose parameters satisfying the decoding constraint c2pLsL~(K + 1) < q. (4) SUBSTITUTE SNEET (RULE Z6) ~3 SECURITY ANALYSIS
~3.1 Meet-in-the-middle attacks. For simplicity (and to aid the attacker), we assume K = 1, so an encoded message looks like a - ~ ~ h. + m (mod q). Andrew Odlyzko has pointed out that there is a meet-in-the-middle attack which can be used against ~, and we observe that a similar attack applies also to the private key f . Briefly, one splits f in half, say f = fl -i- f2, and then one matches fl Q a against - f2 p e, looking for ( fl, f2) so that the corresponding coefficients have approximately the same value. Hence in order to obtain a security level of (say) 2g°, one must choose f , g, and ~
from sets containing around 2lso elements.
~3.2 Multiple transmission attacks. Again for simplicity we assume that K = 1.
We observe that if Cathy sends a single message m several times using the same public key but different random ~'s, then the attacker Betty will be able to recover a large part of the message. Briefly, suppose that Cathy transmits ei - ~i~h+m (mod q) for i = 1, 2, . . . , r.
Betty can then compute (e2 - el) Q h-1 (mod q), thereby recovering ~i - ~1 (mod q).
However, the coefficients of the ~'s are so small that she recovers exactly ~i - ~1, and from this she will recover exactly many of the coefficients of ~1. If r is even of moderate size (say 4 or 5), Betty will recover enough of ~1 to be able to test all possibilities by brute force,thereby recovering m. Thus multiple transmission are not advised without some further scrambling of the underlying message. We do point out that even if Betty decodes a single message in this fashion, this information will not assist her in decoding any further messages.
~3.3 Lattice based attacks.
We begin with a few words concerning lattice reduction. The goal of lattice reduction is to find one or more ''small" vectors in a given lattice .A~1. In theory, the smallest vector in ./1~1 can be found by an exhaustive search, but in practice this is not possible if the dimension of .M is large. The LLL algorithm of Lenstra-Lenstra-Lovasz ~8~, with various improvements due to Schnorr (1 i, 12~ and others; will find small vectors of .N! in polynomial time, but for most lattices of large ( > 100, say) dimension, it will not find the smallest vector, and the gap between the smallest LLL-determinable vector and the actual smallest vector appears to increase exponentially with the dimension.
In order to describe the security of NTRU from lattice attacks, we consider the following three hypotheses on lattices of large dimension:
(Hi) For most lattices J1~1, the length ~{J~t) of the smallest non-zero vector of .M
satisfies dir~(.M) Disc(,M)1/dim(JLl) C ~(~) C dim(,/Vl) Disc(.M)lldim{.n~t) Hence if v E .M satisfies dim(JVl) D1SC(,M)l~dim(.n'1)' ire then v will be hidden in a cloud of exponentially many vectors of approximately the same length.
SUBSTITUTE SHEET (RULE 26) (H2 ) Suppose that the lattice Jlil has a vector w which is smaller than the shortest expected vector described by (H1 ), but that .M is otherwise a ''random"
lattice.
If w satisfies Iwl > h-dim(Jv1) dim(.M) D1SC(./~)l~dim(.M) ire then lattice reduction is highly unlikely to find w.
(H3) Suppose we are in the situation of (H2). Then the smallest non-zero vector vLLL computed by lattice reduction methods is almost certain to satisfy VLLLI ~ ~dim(M)~w~, Remark. The lattice reduction constant ~ which appears in hypotheses (H2) and (H3) must be determined by experimentation and experience. This is similar to the situation with the RSA PKCS, where security rests on estimating current capabilities for factoring products pq. It is even more closely analogous to the PKCS described in (5~, whose security is directly linked to the difficulty of finding small (almost orthogonalized) bases for lattices. Experiments with lattices of large ( > 100) dimension suggest that one can take r~ = 1.51100. (See, for example, (11~ and (12~.) And just as future advances in factorization will require the use of larger primes in the RSA PKCS, so future advances in lattice reduction will undoubtedly require using a smaller value of ~ and correspondingly larger parameters in NTRU. We also mention that we will only need to assume hypotheses (HZ) and (H3) for lattices of dimension greater than 700. For lattices of such high dimension, even the LLL algorithm with Schnorr's block reduction improvement takes quite a long time. If we are willing to assume hypotheses (H2) and (H3) for lattices of dimension around 300, we can choose NTRU parameters with even better operating characteristics.
~3.3.1 Small lattice attack on the key f . We begin with what is probably the most natural lattice, namely we take any one of the hi's and search for the small vector f with the property that hi ~ f {mod q) is also small. To do this, we write h~ _ (hil, . . . , hiN~
and consider the lattice ,M generated by the columns of the following matrix:
a 0 ~~~ 0 0 0 ~~~ 0 0 a ~~~ 0 0 0 ~~~ 0 _ 0 0 ~-~ a 0 0 ~~~ 0 h; hit . . . hiN q 0 . . . 0 l hit hi3 ... hil 0 q ... 0 hiN hil ... hi,N-1 0 0 ... q With an eye towards future notational convenience, we will write this matrix as M _ ~ aI 0 iti qI
SUBSTITUTE SHEET (RULE 26) The quantity ~ will be chosen by the attacker to optimize the attack. We observe that .~1~( satisfies dim(.M) = 2N and Disc(,M) = aNqN.
There are two issues to consider. First, is the actual key f embedded in .M as a short vector. Notice that Jv( contains the target vector vtarg=~~fN~~~~ >~flogil~~~~ ~9iN~~
and knowledge of vtarg allows recovery of f . However, we can compute the length of vtarg aS
wtarg~2 = ~~f 12 + ~gi~2 - L9 ~2 '+ 1.
Hypothesis (Hi) says that f is safe from attack if wtarg~2 satisfies the inequality ~vtarg~2 > dim(.M) Disc(,M)l~dim(JVl) - 2N~q ~e ire In other words, we need Lg ~ + a-1 > 2Nq.
~e The optimal .~ from the attacker's viewpoint is .~ = 1 (see Lemma A.l), since she wants to minimize the left-hand side. So we will be safe provided ~eL9 q~ N
A second consideration is whether some other small vector in ,M might allow the attacker to decode the message. Thus any small vector ~ f', g'~ E .NL has the property that f' and hi OO f' = g' (mod q) are both small. However, if the attacker computes x a OO f' _ ~ P~~ ~ hj OO f' -!- m ~ f' (mod q), j=1 only the term with j = i will have small coefficients modulo q. Hence an f' which makes a single hi small will not act as a decoding key. This suggests that we look at all of the h,j's simultaneously, which leads us to the next lattice.
~3.3.2 Big lattice attack on the key f . Rather than using only one of the hi's, the attacker can instead form a lattice using some subset of the hi's. Relabeling, we will assume that the attacker uses hl, . . . , hk for some 1 < k G K and forms the lattice .M
generated by the columns of the matrix ~I 0 0 0 ~~~0 hl qI 0 0 ~~-0 0 qI 0 ~~~0 h3 0 0 qI ~~~0 h,~ 0 0 0 ~~~qI
SUBSTITUTE SHEET (RULE 26) (We are using the abbreviated notation from the previous section.) This lattice satisfies dim(.M) _ (k + 1)N and Disc(~l~t) _ ,~NqkN
It contains the target vector (using the obvious shorthand) '~targ = ~~.f, 91 > 92, . . . , 9k~.
(More precisely, the coordinates of f need to be reversed.) This target vector has length Ivtargl2 = ~~f 12 + 19112 + . . . I9k12 = L9 ~2 + k.
Hypothesis (H2) says that lattice reduction will not be able to find vtarg provided that its length satisfies Ivtargl2 > I~-dim(Nt) dim(,M) D1SC(./~)1/dim(~l~t) ~e _ ~-(k+1)N (k + 1)N _ ~1/(k+1)qk/(k+i) ~e So we will be safe from attack if L9 ,~2k/(k+1) - k,~-2/(k+1) ] ~-(k+1)N (k + 1)Nqk/(k+1) - ire As before, the attacker will choose a to minimize the left-hand side. Again it turns out that .~ = 1 gives the minimum (See Lemma A.1), so the actual key will be safe under Hypothesis (H2 ) provided qk/(k+1) ~ ~(k+1)NL9 ~
N
X3.3.3 Big lattice attack on a spurious key f . Rather than searching for the true key f , the attacker might try to find some other key F which acts as a decoding key. In order to be a spurious key, F itself and also each of the products h~ ~ F (mod q) must be small. More precisely, suppose that the attacker finds an F and computes G~ - h~ OO F (mod q) for j = l, 2, . . . , K.
We would like to know that the width (L°° norm) of an expression ~1~G1+200 G2+...+~KOO GK+rrtOO F
is generally at least Wq for some wrapping factor W. (We will discuss in Section 4 the question of how large W must. be for for the system to be secure.) SUBSTITUTE SHEET (RULE 26) In order to try to find a spurious key F, the attacker will take the lattice .M described in Section 3.3.2 and use lattice reduction techniques to find a small vector vLLL ~ The smallest non-zero vector in NI is the vector vtarg = (~f, 9m . . . , gx~, so Hypothesis (H3) says that ~VLLLI2 ~ I~~K+1)N Ivtargl2.
Writing VLLL = (~F, G1, G2, . . . , GxJ, we find that ~2~F~2 + IG1IZ ~- . . . + IGxI~ ~ I~~K+1)NL9 ~2 +. K.
The vector vLLL obtained by lattice reduction will have components whose size is more-or-less randomly distributed. In particular, all of the lengths ~~F~2 , ~G1 ~z , . . . , ~Gx~2 will be approximately the same, so we obtain (approximately) ~F 2 i IG1 2 ~ .. . , IGK12 ~ l~~K+1)NLg.
On the other hand. we can use this and (3) to estimate C~lOGl+~2~G2+~~~+~KOGx+m~F~~
~ Cl (I~ll2 ~ IGll2 -f- . . . -f- I~KI2 ~ ~~'K~2 + ~m~2 ~ ~~' ~2~
-ClL~lIG112+~..+(GK12+~F~2~
> Cl (K + 1)L~L9l~~K+1)N.
So the spurious key will fail with wrapping factor W provided the parameters are chosen to satisfy Wq < cl(~~ + 1)L~L9~~K+i)N. (7) (This may be compared with the decoding inequality (4).) ~3.3.4 Big lattice attack on an individual message. There is one other sort of lattice attack which must be considered. Rather than looking for a key which decodes every message, an attacker can construct a lattice to search for an individual message.
Consider the following lattice, which is similar to the one used in Section 3.3.2. Let J1~1 be the lattice generated by the columns of the matrix aI 0 0 0 -~- 0 0 0 ~1 0 0 ~ 0 0 0 0 ~I 0 --~ 0 0 0 0 0 aI -- 0 0 Pl~i ~~a Ph3 ... phx qI
SUBSTITUTE SH EET (RULE 2fi) This lattice satisfies dim(.M) _ (K + 1)N and Disc(.M) - ~xNqN
and contains (using the obvious notation) the vector (~~t > ~~z, . . . , ~~x, a - m~. (8) It contains this vector because the encoded message e. was constructed according to the rule py OO hl + p~2 *O hz + ~ ~ ~ + pox *O hx + m = a (mod q).
Clearly (8) is not likely to be a short vector, since the coefficients of a -m (mod q) will not be small. However, the attacker knows the value of e, so she can search for a vector in Jl~l which is close to the known non-lattice vector ~0, 0, . . . , 0, e~. The distance from the sought for lattice vector and the known non-lattice vector is the length of the vector vtarg = ~~~i> ~~2> . . . , ~l~x, -m~.
This is an example of an inhomogeneous lattice problem. Inhomogeneous problems tend to be somewhat harder than homogeneous problems, but to err on the side of caution, we will assume that the attacker can solve inhomogeneous problems to the exact same degree she can solve homogeneous problems. So we need to see if the attacker can find a vector of length Ivtargl2 = L~ K~2 + p2 {Remember that ~Tn~z = p ~~~z for every m E G.",, and every ~ E G~.) According to Hypothesis (H2), the attack will fail provided that Ivtar , > /~-dim(N!) dim(.Nl) DisC(./1~()l~dim(M)~
ire or in other words, if L~ K~12~(K+1) + p2~-2K/(K+1) > ,~-(x+i)N {K + 1)Nql~(x+i), - ire The attacker will minimize the left-hand side by taking a = p (see Lemma A.l), so the attack will fail provided ql~(x+1) ~ ~(x+1)NL~ ~epl~(x+y.
- N
This may be compared with (6), which it complements.
SUBSTITUTE SHEET (RULE 26) ~3.3.5 Summary of lattice attack parameter constraints. In the preceding parts of this section we have described various lattice attacks and devised constraints on the parameters which prevent these attacks from succeeding. There remains the question of whether there exist any choices of parameters which satisfy all of the constraints. For the convenience of the reader, we list here all of the inequalities from this section, together with the fundamental inequality (4) which is necessary if the owner of the true key f is to be able to decode messages.
c2pL9L~(K + 1) < q.
~reLg q c N ~ (5) qk/(k+1) < ~(k+1)NL9 N for every 1 < k < K.
Wq < W (K + 1 )L~L9~(K+1)m (7) qll(x+1) < ~(x+i)NL~ ~epy(x+1).
- N
We observe that for any fixed values cl, c2, p, L~ > 0 and p, r~, W > 1, there always exist solutions N, K, L9, q to these inequalities. We now make a few remarks to assist in finding solutions.
We begin by combining these inequalities in various ways. First combining (4) and (7) gives (after some algebra) (K + 1 )N > log(ci lc2pW) . {10) log ~c Note we have (essentially) no freedom in choosing cl, c2, and ~, and that W
will be chosen between 5 and 10 depending on the level of security desired. This leaves the choice of p, which will normally be fairly small. The point here is that (10) gives a lower bound for (K + 1)N over which we have very little control.
Next we combine (4) and (5) to get L > c2p(K+ 1)NL . 11 s ~e ~ { ) In order to have some flexibility in the choice of q, it is a good idea to take L9 to be (say) 1.5 to 2 times larger than this prescribed lower bound.
For example, if G~ and G9 are as described in Section 2.2, then L~ = 2d and most g E G9 satisfy ~g~2 :., L9 = N(r2 - 1)/12. So after using {11) to choose L9, we can take r = LLg 12/N~ , and then most g E G9 will have L2 norm very close to the desired L9. F~lrther, since the code creator Dan is the only one who chooses elements from G9, and since these choices only need to be made once, it won't be hard for him to find the necessary K -f- 1 polynomials in G9 with norm approximately L9; and even with the length restriction, the number of such polynomials in Gg is astronomically larger than an attacker can check via exhaustive search, since in practice rN tends to be at least 2500.
SUBSTITUTE SHEET (RULE 2fi) ~4 IMPLEMENTATION CONSIDERATIONS
~4.1 Security and Wrapping Factors. Recall that the wrapping factor W controls how much wrapping the attacker can expect when she uses a spurious key produced by lattice reduction. If W is too small, for example W = 1.5, then the attacker will be able to recover many (maybe even most) of the coefficients, because their values tend to cluster around the mean. More precisely, the attacker will recover (say) 0.95N linear equations for the N unkown coefficients, and then a brute-force search finishes the attack.
Coppersmith and Shamir (3J have observed that even if W is a bit larger than this, say W = 2.5, then the clustering allows the attacker to obtain approximately 0.67N
linear equations for the N unknowns. They then observe that if the attacker constructs two independent spurious keys and applies them, she might obtain sufficiently many independent equations to solve the system. They further note that if W = 4, then using several short. vectors might allow the attack to succeed by employing some sort of error-correcting technique, but that if W is as large as 10, then this sort of attack will not succeed. We refer the reader to (3~ for details.
Based on these considerations, we will use a wrapping factor of W = 10 to construct sample operating parameters.
~4.2 Sample Operating Parameters. In this section we will work out two sets of us-able parameters for the NTRU PKCS which are secure under the hypotheses of Section 3.
These parameter sets lead to a fairly high message expansion, so we refer the reader to Section 4.3 below for a two-stage version of NTRU which reduces the message expansion to a managable 2-to- 1.
We begin with three values forced on us by experimental evidence, and a fourth value chosen to ensure sufficient wrapping to foil a spurious key attack:
cl = 0.08, c2 = 0.24, W = 10 ~ = 1.51/100 1.0040628823.
The values of cl and c2 have been determined by extensive numerical testing in the desired ranges: but we also have a fairly good idea how to give them a probabilistic justification.
The wrapping factor W = 10 was discussed above in Section 4.1. Finally, the choice of the lattice reduction constant ~ has already been discussed in the remark in Section 3.3, although to guard against future improvements in lattice reduction technology, the se-curity conscious user might instead take ~ = 1.31/100 with minor changes in the other parameters.
We consider first the choice p = 2. The inequality (10) from Section 3.3.5 tells us that we need to take (K + 1)N > 1009.79, so we will let N=167 and K=6.
(It is convenient, but not necessary, to have N and (N - 1 ) /2 both prime. ) This choice will provide sufficient leeway for choosing the remaining coefficients.
We take G~ as in Section 2.2 with d = 20, so #G~ = 167!/20! ~ 20! ~ 127! ~
2165.85 which provides sufficient security against meet-in-the-middle attacks.
Further, L~ _ SUBSTITUTE SHEET (RULE 26) 2d .': 6.325, and substituting these choices into (11) gives Lg > 414.07. To provide some leeway, we take r = 167, which makes the expected value of L9 equal to 622.98.
Finally, our five fundamental inequalities from Section 3.3.5 tell us that q must satisfy 213.6924 ~ q < maX~ 214.2766 ~ 214.7278' 214.6238' 252.481 ~ .
(Of course, the inequality (6k) in Section 3.3.5 is really 6 inequalities, one for each 1 <_ k < 6.) Thus we can take q = 214 - 1 = 16383. (Note that gcd(p, q) = 1 is required.) To recapitulate, assuming the hypotheses of Section 3.3, the following parameters give a secure NTRU PKCS:
N=167, l~=6, q=16383=214-1, p=2, r=167, d=20, s=3, where the sets G~, Gg, Gm are chosen as described in Section 2.2. For these parameters we have Public key length = Nk log2 q = 14028 bits Private key length = N loge pr = 1400 bits Message expansion = log q/ log p = 14-to-l Using a similar analysis, we construct a second set of secure NTRU parameters with a larger value of p. These parameters seem well suited to current microprocessors, since all operations are on numbers smaller than 216, and q is a power of 2, so division by q with remainder is a simple shift operation. We take N=167, K=6, q=216, p=3, r=354, d=40, s=7.
These parameters give #G~ = 167!/40! ~ 40! ~ 87! ~. 2239.3 and Public key length = NK log2 q = 16032 bits Private key length = N loge pr = 1678 bits Message expansion = log q/ log p = 10.1-to-1 ~4.3 Two-Stage NTRU and Improved Message Expansion. The NTRU PKCS's for the sample parameters presented in Section 4.2 have rather large message expansions.
One method to decrease this expansion is to use a larger value of p, but this leads to significantly larger values for (K + 1)N, which in turn increases both key sizes and decreases computational efficiency.
Another method to decrease message expansion is to use each NTRU message as a sort of one-time-pad to encode the actual message. In this two-stage version of NTRU, the encoder Cathy chooses a random polynomial m E G,",,, while her actual plaintext message M is allowed to be any polynomial modulo q. To encode her message, she computes the two quantities x a = ~ phi OO hi + rn (mod q) and E - m ~ hl + M (mod q).
i=1 SUBSTITUTE SHEET (RULE 26) The encoded message is the pair (e, E).
The decoding process is similar to before, but with one extra step. Thus the decoder Dan follows the procedure described in Section 1.4 to compute the polynomial m. He then recovers the message by computing E - m OO hl (mod q).
We observe that the plaintext message M has length N loge q bits, while the encoded message (e, E) has length 2N loge q bits, so message expansion is down to 2-to-1.
We make one further remark. Cathy is using the same polynomial and modulus to encode both m and M. We do not believe that this compromises security, but for added security she could compute E - mOH+M (mod Q) for a different (public) polynomial H
and modulus Q.
~4.4 Theoretical Operating Specifications. In this section we consider the theo-retical operating characteristics of the NTRU PKCS. There are four integer parame-ters (N, K, p, q), three sets G9, G~, G,",, determined respectively by integers r. d, s as de-scribed in Section 2.2, three experimentally determined constants cl, c2, r~, and a wrapping constant W. To ensure security, these parameters must be chosen to satisfy the inequal-ities listed in Section 3.3.5. The following table summarizes the NTRU PKCS
operating characteristics in terms of these parameters.
Plain Text Block N loge p bits Encoded Text Block N Iog2 q bits Encoding Speed* O(KN2) operations Decoding Speed O(NZ) operations Message Expansion logy q-to-l Private Key Length N loge pr bits Public Key Length KN log2 q bits ' Precisely, 4FCN2 additions and ffN divisions by q with remainder For Two-Stage NTRU as described in Section 4.4, the following items change:
Plain Text Block N loge q bits Encoded Text Block2N loge q bits Message Expansion2-to-l ~4.5 Other Implementation Considerations. We briefly mention some additional factors which should be considered when implementing NTRU.
(1) It is important that gcd(q,p) = 1. Although in principle NTRU will work without this requirement, in practice having gcd(q, P) > 1 will decrease security. At the ex-treme range, if p~q, then (exercise) the encoded message a satisfies a - m (mod ~), so it is completely insecure.
SUBSTITUTE SH~~T (RULE Z6) (2) We want most f's to have inverses modulo p and modulo q, since otherwise it will be hard to create keys. A first necessary requirement is that gcd( f (1 ), pq) = l, but if this fails for some chosen f , the code creator can instead use, say, f (X ) -~ 1 or f {X ) - 1. Assuming gcd( f ( 1), pq) = 1, virtually all f 's will have the required inverses if we take N to be a prime and require that for each prime P dividing p and q, the order of P in (7G/N7G)* is large, say either N - 1 or (N - 1)/2.
For example, this will certainly be true if (N - 1)/2 is itself prime (i.e., N is a Sophie Germain prime). Examples of such primes include 107 and 167.
~5 MODERATE SECURITY PARAMETERS FOR NTRU
There are many situations in the real world where high speed and/or low memory requirements are important and a moderate level of security is acceptable. In this context, we observe that actual lattice reduction methods (lI, 12~ are extremely CPU
intensive and that. in practice. it requires a large expenditure of computer time to perform a lattice reduction on a lattice of dimension 200 to 300. Of course, "large'' here is a relative term, but it would probably not be worthwhile to perform a 300 dimensional lattice reduction to steal something worth a fraction of a cent, and it would certainly be very expensive (if not completely infeasible) using current methods to perform such a lattice reduction in a short period of time (say a few minutes). Thus it is worthwhile creating a set of NTRU
parameters which can be used in situations where one is willing to allow the possibility of large dimensional lattice attacks.
If we eliminate the parameter constraints coming from lattice attacks, we are left with only the decoding constraint c2pL9L~(K + 1) < q (4) and the condition that the search spaces for f , g, and ø are large enough to prevent a brute-force (or possibly a meet-in-the-middle) attack. For simplicity, we will take K = 1.
We will take all of f, g, ~ to be in the set G~, which is the set of polynomials with d coefficients equal to 1, d coefficients equal to -1, and the other N - 2d coefficients equal to 0. (More precisely, since we need f to be invertible modulo p and q, we will take f to have an extra 1 coefficient, but this will have little effect on the subsequent analysis, so we will ignore it. ) Using c2 = 0.24 as usual, the decoding constraint becomes simply q > 2pd.
(4) Our other constraint is N N! > 2aa Cd; d; N - 2d~ _ (d!)2(N - 2d)!
where Q is the desired security level. We note that for moderate security implementations, a security level of around 24° will generally suffice, so we will take Q .:; 40.
The following table gives some acceptable operating parameters for a moderate security implementation of NTRU. In evaluating the security, we note that available lattice attacks use a lattice of dimension 2N. We also note that the listed value of q is the smallest SUBSTITUTE SHEET (RULE 26) allowed, but that a somewhat larger q satisfying gcd(p, q) = 1 is acceptable.
In particular, especially fast implementations are available by taking q = 64.
N d Q p q 107 9 41.11 2 37 107 9 41.11 3 55 167 7 38.98 2 29 167 7 38.98 3 43 263 7 43.72 2 29 263 7 43.72 3 43 Finally, we observe that the key sizes are very small, Public Key: N loge (q) bits Private Key: 2N loge (p) bits For example. (N, d, p, q) _ (167, 7, 3, 64) gives a system with public and private keys of lengths 1002 bits and 530 bits respectively.
~6 COMPARISON WITH OTHER PKCS'S
There are currently a number of public key cryptosystems in the literature, including the system of Rivest, Shamir, and Adelman (RSA ~10~) based on the difficulty of factoring, the system of McEliece (9~ based on error correcting codes, and the recent system of Goldreich, Goldwasser, and Halevi (GGH ~5~) based on the difficulty of finding short almost-orthogonalized bases in a lattice.
The NTRU system has some features in common with McEliece's system, in that OO
-multiplication in the ring R can be formulated as multiplication of matrices (of a special kind), and then encoding in both systems can be written as a matrix multiplication E = AX + Y. where A is the public key. A minor difference between the two systems is that for an NTRU encoding, Y is the message and X is a random vector, while the McEliece system reverses these assignments. But the real difference is the underlying trap-door which allows decoding. For the McEliece system, the matrix A is associated to an error correcting (Goppa) code, and decoding works because the random contribution is small enough to be "corrected" by the Goppa code. For NTRU, the matrix A is a circulant matrix, and decoding depends on the decomposition of A into a product of two matrices having a special form, together with a lifting from mod q to mod p.
As far as we can tell, the NTRU system has little in common with the RSA
system.
Similarly, although the NTRU system must be set up to prevent lattice reduction attacks, its underlying decoding method is very different from the GGH system, in which decoding is based on knowledge of short lattice bases. In this aspect, GGH actually resembles the McEliece system, since in both cases decoding is performed by recognizing and eliminating a small random contribution. Contrasting this, NTRU eliminates a much larger random contribution via divisibility (i.e., congruence) considerations.
SUBSTITUTE SHEET (RULE 26~
WO 98!08323 PCTIU597/15826 The following table compares some of the theoretical operating characteristics of the RSA, I~'IcEliece, GGH, and NTRU cryptosystems. In each case the number N
represents a natural security/message length parameter.
NTRU RSA McEliece GGH
Encoding Speed NZ N2 N2 N2 Decoding Speed N2 N3 N2 N2 Public Key N N N2 N2 Private Key N N NZ N2 Message Expansion 2-1 1-1 2-1 1-1 SUBSTITUTE SHEET (RULE 26) APPENDIX A. AN ELEMENTARY LEMMA
The following result is useful for optimizing lattice attacks.
Lemma A.1. For all A, B, a, /~ > 0 with a + ~3 = 1, ApBa inf Axa + Bx-a =
a>0 aea~Q ' with the infimum occurring at x = ~3B/aA.
Proof. Let f (x) = Axa + Bx-A. Then f'(x) = cxAxa-1 - ~3Bx-~-1 = xA+1 (aAx -/38).
So the absolute minimum is at x = ,QB/aA. (Note that f {x) -~ oo as x --> 0+
and as x --~ oo. ) REFERENCES
1. M. Blum, S. Goldwasser, An ef~'tcient probabilistic public-key encryption scheme which hides all partial information, Advances in Cryptology: Proceedings of CRYP-TO 84, Lecture Notes in Computer Science, vol. 196, Springer-Verlag, 1985, pp.
299.
2. H. Cohen, A course in computational algebraic number theory, Graduate Texts in Math., vol. 138, Springer Verlag, Berlin, 1993.
3. D. Coppersmith, A. Shamir, Lattice attacks on NTR U, Preprint, April 5, 1997;
presented at Eurocrypt 97.
4. W. Diffie, M.E. Heilman, New directions in cryptography, IEEE Trans. on Informa-tion Theory 22 (1976), 644-fi54.
5. O. Goldreich, S. Goldwasser, S. Halevi, Public-key cryptosystems from lattice reduc-tion problems, MIT - Laboratory for Computer Science preprint, November 1996.
6. S. Goldwasser and A. Micali, Probabilistic encryption, J. Computer and Systems Science 28 (1984), 270-299.
7. J. Hoffstein, J. Pipher, J.H. Silverman, NTRU: A new high speed public key cryp-tosystem, Preprint; presented at the rump session of Crypto 96.
8. A.K. Lenstra, H.W. Lenstra, L. Lovsz, Factoring polynomials with polynomial coef f-ccients, Math. Annalen 26I (1982), 515-534.
9. R.J. McEliece, A public-key cryptosystem based on algebraic coding theory, JPL
Pasadena, DSN Progress Reports 42-44 (1978), 114-116.
Pasadena, DSN Progress Reports 42-44 (1978), 114-116.
10. R.L. Rivest, A. Shamir, L. Adleman, A method for obtaining digital signatures and public key cryptosystems, Communications of the ACM 21 (1978), 120-126.
11. C.P. Schnorr, Block reduced lattice bases and successive minima, Combinatorics, Probability and Computing 3 (1994), 507-522.
12. C.P. Schnorr, H.H. Hoerner, Attacking the Chor Rivest cryptosystem by improved lattice reduction. Proc. EUROCRYPT 1995, Lecture Notes in Computer Science 921, Springer-Verlag, 1995, pp. 1-12.
13. D. Stinson, Cryptography: Theory and Practice, CRC Press, Boca Raton, 1995.
SUBSTTTUTE SHEET (RULE 26)
SUBSTTTUTE SHEET (RULE 26)
Claims (56)
1. A method for encoding and decoding a digital message m, comprising the steps of:
selecting ideals p and q of a ring R;
generating elements f and g of the ring R, and generating element F q which is an inverse of f (mod q), and generating element F p which is an inverse of f (mod p);
producing a public key that includes h, where h is congruent, mod q, to a product that can be derived using g and F q;
producing a private key from which f and F p, can be derived;
producing an encoded message a by encoding the message m using the public key and a random element .PHI.; and producing a decoded message by decoding the encoded message e using the private key.
selecting ideals p and q of a ring R;
generating elements f and g of the ring R, and generating element F q which is an inverse of f (mod q), and generating element F p which is an inverse of f (mod p);
producing a public key that includes h, where h is congruent, mod q, to a product that can be derived using g and F q;
producing a private key from which f and F p, can be derived;
producing an encoded message a by encoding the message m using the public key and a random element .PHI.; and producing a decoded message by decoding the encoded message e using the private key.
2. The method as defined by claim 1, wherein the ring R
is a module over a ring Z.
is a module over a ring Z.
3. The method as defined by claim 1, wherein a dimension of R over Z is N, and where N is an integer greater than 1.
4. The method as defined by claim 3, wherein the ring R
is a ring of polynomials modulo a particular polynomial.
is a ring of polynomials modulo a particular polynomial.
5. The method as defined by claim 1, wherein said step of generating elements further comprises generating element G q which is an inverse of g (mod q), and generating element G p which is an inverse of g (mod p).
6. The method as defined by claim 5, wherein the element G q is used in a derivation of the public key and the element G p is part of the private key.
7. The method as defined by claim 1, wherein said selecting step further includes selecting a positive integer K, and wherein the element g comprises respective g i, with i =
1,2,...,K, and wherein the public key, h, comprises respective h;, with i = 1,2,...,K.
1,2,...,K, and wherein the public key, h, comprises respective h;, with i = 1,2,...,K.
8. The method as defined by claim 7, wherein the random element .PHI. comprises respective .PHI.i in the ideal p, with i =
1,2,...,K, and wherein the encoded message is produced as e=.SIGMA..PHI.i*h i+m(modq).
1,2,...,K, and wherein the encoded message is produced as e=.SIGMA..PHI.i*h i+m(modq).
9. The method as defined by claim 1, wherein the public and the private keys each further include p and q.
10. The method as defined by claim 1, wherein the ideals p and q are generated by relatively prime integers.
11. The method as defined by claim 10, wherein the encoded message is congruent, mod q, to a sum of the message m and a product that includes .PHI. and h.
12. The method as defined by claim 10, wherein the integers p and q are unequal and both p and q are greater than 1.
13. The method as defined by claim 1, wherein the encoded message is produced by a user at a first location, transmitted from the first location to a second location, and decoded by a user at the second location.
14. A method for encoding and decoding a digital message m, comprising the steps of:
selecting integers p and q;
generating polynomials f and g;
determining inverses Fq and Fp, where Fq*f .ident. 1 (mod q) FP*f .ident. 1 (mod p) ;
producing a public key that includes p, q, h, where h .ident. Fq*g (mod q) ;
producing a private key that includes f and Fp;
producing an encoded message a by encoding the message m in a form of a polynomial using the public key and a random polynomial .PHI.; and producing a decoded message by decoding the encoded message a using the private key.
selecting integers p and q;
generating polynomials f and g;
determining inverses Fq and Fp, where Fq*f .ident. 1 (mod q) FP*f .ident. 1 (mod p) ;
producing a public key that includes p, q, h, where h .ident. Fq*g (mod q) ;
producing a private key that includes f and Fp;
producing an encoded message a by encoding the message m in a form of a polynomial using the public key and a random polynomial .PHI.; and producing a decoded message by decoding the encoded message a using the private key.
15. The method as defined by claim 14, wherein the encoded message e is produced as e .ident. p.PHI.*h+m (mod q) .
16. The method as defined by claim 15, wherein the decoded message is produced by computing a .ident. f*e (mod q), and then computing the decoded message, m', as m' .ident. Fp*a (mod p) .
17. The method as defined by claim 14, wherein said step of generating polynomials f and g includes selecting a positive integer K and generating K polynomials g, as g1, g2, . . .gK, and wherein the public key comprises h1, h2, . . .hK, where hi .ident. Fq*gi (mod q) , i = 1, 2, . . . , K.
18. The method as defined by claim 17, wherein said encoded message a is produced as e .ident. p.PHI.1*h1+p.PHI.2*h2+...+p.PHI.K*hK+m (mod q) where .PHI.1, .PHI.2,...., .PHI.K are K random polynomials.
19. The method as defined by claim 14, wherein the encoded message is produced by a user at a first location, transmitted from the first location to a second location, and decoded by a user at the second location.
20. The method as defined by claim 14, wherein a monic polynomial M(X) is selected and multiplication of polynomials is accomplished by first performing ordinary multiplication of polynomials and then dividing a result thereof by M(X) and retaining only a remainder.
21. The method as defined by claim 14, wherein a non-zero integer N is selected and multiplication of polynomials is accomplished by reducing exponents modulo N.
22. The method as defined by claim 14, wherein the polynomials f, g, m and .PHI. are constrained to have bounded coefficients.
23. The method as defined by claim 22, wherein the integer q is chosen smaller than a quantity determined by the integer p, degrees of the polynomials f, g, m and .PHI., and the constraints on the coefficients of f, g, m and .PHI..
24. The method as defined by claim 22, wherein the integer q is chosen larger than a quantity determined by the integer p, degrees of the polynomials f, g, m and .PHI., and the constraints on the coefficients of the polynomials f, g, m and .PHI..
25. A method for encoding and decoding a digital message m, comprising the steps of:
selecting relatively prime integers p and q;
selecting a non-zero integer K;
producing K+2 matrices, f, g, w1, w2,...,wK from a ring of matrices with integer coefficients, with wi .ident. 0 (mod p) for i =
1, 2,..., K.
producing inverse matrices Fp, Fq, Gp and Gq, from the ring of matrices where fFp .ident. I (mod p) fFq .ident. I (mod q) gGp .ident. I (mod p) gGq .ident. I (mod q) where I is an identity matrix;
producing a public key as a list of K matrices (h1, h2, . . . , hK) where hi .ident. FqwiGq (mod q) , i = 1, 2, . . . , K;
producing a private key as the matrices (f, g, FP, Gp);
producing an encoded message a by encoding the message m using the private key and random integers .PHI.1, .PHI.2,..., .PHI.K as e = .PHI.1h1 + .PHI.2h2 + . . . + .PHI.KhK + m (mod q) ; and producing a decoded message m' by computing a .ident. feg (mod q) and b .ident. a (mod p) and then computing the decoded message m' as m' .ident. FpbGP (mod p).
selecting relatively prime integers p and q;
selecting a non-zero integer K;
producing K+2 matrices, f, g, w1, w2,...,wK from a ring of matrices with integer coefficients, with wi .ident. 0 (mod p) for i =
1, 2,..., K.
producing inverse matrices Fp, Fq, Gp and Gq, from the ring of matrices where fFp .ident. I (mod p) fFq .ident. I (mod q) gGp .ident. I (mod p) gGq .ident. I (mod q) where I is an identity matrix;
producing a public key as a list of K matrices (h1, h2, . . . , hK) where hi .ident. FqwiGq (mod q) , i = 1, 2, . . . , K;
producing a private key as the matrices (f, g, FP, Gp);
producing an encoded message a by encoding the message m using the private key and random integers .PHI.1, .PHI.2,..., .PHI.K as e = .PHI.1h1 + .PHI.2h2 + . . . + .PHI.KhK + m (mod q) ; and producing a decoded message m' by computing a .ident. feg (mod q) and b .ident. a (mod p) and then computing the decoded message m' as m' .ident. FpbGP (mod p).
26. The method as defined by claim 25, wherein said encoded message is produced by a user at one location, transmitted from said one location to another location, and decoded by a user at said another location.
27. The method as defined by claim 25, wherein said matrices w1, w2,..., wk, f, g, and m are constrained to have bounded coefficients and the integers .PHI.1, .PHI.2,..., .PHI.K, are constrained to be bounded.
28. The method as defined by claim 27, wherein the integer q is chosen smaller than a quantity determined by the integer p, the integer K; degrees of the polynomials w1, w2,..., wk, f, g, and m, constraints on the coefficients of the polynomials w1, w2,..., wk, f, g, and m, and constraints on the integers .PHI.1, .PHI.2, . . . ,.PHI.K
29. The method as defined by claim 27, wherein the integer q is chosen larger than a quantity determined by the integer p, the integer K, degrees of the polynomials w1, w2,..., wK, f, g, and m, constraints on the coefficients of the polynomials w1, w2,..., wK, f, g, and m, and constraints on the integers .PHI.1, .PHI.2, . . . ,.PHI.K.
30. A system for encoding and decoding a digital message m, comprising:
means for selecting ideals p and q;
means for generating elements f and g of a ring R, and generating element Fq which is an inverse of f (mod q), and generating element Fp which is an inverse of f (mod p);
means for producing a public key that includes h, where h is congruent, mod q, to a product that can be derived using g and Fq;
means for producing a private key from which f and Fp can be derived;
means for producing an encoded message a by encoding the message m using the public key and a random element .PHI.; and means for producing a decoded message by decoding the encoded message a using the private key.
means for selecting ideals p and q;
means for generating elements f and g of a ring R, and generating element Fq which is an inverse of f (mod q), and generating element Fp which is an inverse of f (mod p);
means for producing a public key that includes h, where h is congruent, mod q, to a product that can be derived using g and Fq;
means for producing a private key from which f and Fp can be derived;
means for producing an encoded message a by encoding the message m using the public key and a random element .PHI.; and means for producing a decoded message by decoding the encoded message a using the private key.
31. The system as defined by claim 30, wherein the encoded message is produced by a user at a first location, transmitted from the first location to a second location, and decoded by a user at the second location.
32. A method of communicating information between users of a communications system, comprising the steps of:
generating a ring R, ideals P and Q in R, a set of coset representatives CQ for the ring R modulo the ideal Q, and a set of coset representative CP for the ring R modulo the ideal P;
generating at least one public key element h1,... hk, in the ring R as a function of at least two private key elements f1,..., fn in R and the ideal Q of a first user; and transmitting from the first user to a second user a description of the ring R, the ideal Q, the ideal P, and the public key elements h1,..., hk, in R;
generating an element e in R as a function of the ideals P and Q, the public key elements h1,..., hk, a private message element m in R, and at least one private random element .PHI.1...
.PHI.1 of the second user; and transmitting the element e from the second user to the first user, such that the first user can determine the message element m by computing a result A in R of evaluating a function F of e, f1,..., fn, computing a coset representative a of A in the set of coset representatives CQ, computing a result B of evaluating a function G of a, f1,..., fn, computing a coset representative b of B in the set of coset representatives CP, and computing a result c in the set of coset representatives Cp of evaluating a function H of b, f1, . . . , fn.
generating a ring R, ideals P and Q in R, a set of coset representatives CQ for the ring R modulo the ideal Q, and a set of coset representative CP for the ring R modulo the ideal P;
generating at least one public key element h1,... hk, in the ring R as a function of at least two private key elements f1,..., fn in R and the ideal Q of a first user; and transmitting from the first user to a second user a description of the ring R, the ideal Q, the ideal P, and the public key elements h1,..., hk, in R;
generating an element e in R as a function of the ideals P and Q, the public key elements h1,..., hk, a private message element m in R, and at least one private random element .PHI.1...
.PHI.1 of the second user; and transmitting the element e from the second user to the first user, such that the first user can determine the message element m by computing a result A in R of evaluating a function F of e, f1,..., fn, computing a coset representative a of A in the set of coset representatives CQ, computing a result B of evaluating a function G of a, f1,..., fn, computing a coset representative b of B in the set of coset representatives CP, and computing a result c in the set of coset representatives Cp of evaluating a function H of b, f1, . . . , fn.
33. The method of claim 32, wherein the message element m satisfies a condition that m is an element of CP.
34. The method of claim 32, wherein the first user determines the message element m by computing a function of a, b, c, f1, . . . , fn.
35. The method of claim 32, wherein the public key elements h1,..., hk satisfy a condition that the element fi is congruent in R to a product hifk+1 modulo the ideal Q for each i between 1 and k.
36. The method of claim 32, wherein the private key elements f1,..., fk+1satisfy a condition that the elements f1,..., fk are in the ideal P.
37. The method of claim 32, wherein the private random elements .PHI.1,..., .PHI.i are in the ideal P.
38. The method of claim 32, wherein the element e generated as a function of the public key elements h1,,,..., hk, the private random elements .PHI.1,..., .PHI.K+1 and the private message element m is generated as an element of CQ which is congruent to .PHI.1h1+ .PHI.2h2+ . . . + .PHI.khk+ .PHI.k+m modulo the ideal Q.
39. The method of claim 32, wherein the result A of evaluating the function F of e, f1,..., fn is a product efk+1.
40. The method of claim 32, wherein the result B of evaluating the function G of a, f1,..., fn is the element a.
41. The method of claim 32, wherein the result c in the set of coset representatives CP of evaluating the function H of a, f1, . . . , fn satisfies a condition cfk+1 is congruent to b modulo the ideal P.
42. The method of claim 32, wherein the result c is equal to coset representatives of the message m in the set of coset representatives CP.
43. The method of claim 32, wherein the ring R is a ring of polynomials in one variable X modulo the ideal of R
generated by a monic polynomial M(X) of degree N, wherein the ideal Q of R is an ideal generated by an integer q, the ideal P of R is an ideal generated by an integer p, the set of coset representatives CQ is a set of polynomials of degree at most N-1 in R with coefficients in a fixed set of coset representatives modulo q, and wherein the set of coset representatives Cp is a set of polynomials of degree at most N-1 in R with coefficients in a fixed set of coset representatives modulo p.
generated by a monic polynomial M(X) of degree N, wherein the ideal Q of R is an ideal generated by an integer q, the ideal P of R is an ideal generated by an integer p, the set of coset representatives CQ is a set of polynomials of degree at most N-1 in R with coefficients in a fixed set of coset representatives modulo q, and wherein the set of coset representatives Cp is a set of polynomials of degree at most N-1 in R with coefficients in a fixed set of coset representatives modulo p.
44. The method of claim 43, wherein the private key elements f1,..., fn the private message element m in R, and the private random elements .PHI.1,..., .PHI.i satisfy conditions that include bounds on coefficients thereof.
45. The method of claim 32, wherein the ring R is non-commutative.
46. The method of claim 32, wherein the elements h1,..., hk are generated in CQ according to a condition that an element fk+1hifk+2 is congruent in R to fi modulo the ideal Q for each i between 1 and k.
47. The method of claim 32, wherein the private key elements f1,..., fk are in the ideal P.
48. The method of claim 32, wherein the private random elements .PHI.1, . . . , .PHI.2K+1 satisfy a condition that the elements are in the ideal P.
49. The method of claim 45, wherein the element a generated as a function of the public key elements h 1,..., h k, the private random elements .PHI.1,..., .PHI.2k+1, and the private message element m is generated as an element of C Q which is congruent to .PHI.1h1.PHI.k+1 + .PHI.2h2.PHI.k+2 + ... + .PHI.k h k.PHI.2k +
.PHI.2k+1 + m modulo the ideal Q.
.PHI.2k+1 + m modulo the ideal Q.
50. The method of claim 32, wherein the ring R is a ring of matrices with integer coefficients, the ideal Q of R is an ideal consisting of all matrices divisible by a fixed integer q, the ideal P of R is an ideal consisting of all matrices divisible by a fixed integer p, that the set of coset representatives C Q is a set of elements of R with coefficients in a fixed set of coset representatives modulo q, and the set of coset representatives C P is a set of elements of R with coefficients in a fixed set of covet representatives modulo p.
51. The method of claim 50, wherein the private key elements f 1,..., f n, the private message element m, and the private random elements .PHI.1,..., .PHI.i satisfy conditions that include bounds on coefficients thereof.
52. The method of claim 50, wherein the private random elements .PHI.l, ... , .PHI.i satisfy a condition that .PHI.l, ... , .PHI.i are constant multiples of the identity matrix.
53. The method of claim 32, wherein the ring R is a group ring of a group G, the ideal Q of R is an ideal generated by an integer q, the ideal P of R is an ideal generated by an integer p, the set of coast representatives C Q
is a set of elements of R with coefficients in a fixed set of coset representatives modulo q, and the set of coset representatives C P is a set of elements of R with coefficients in a fixed set of coset representatives modulo p.
is a set of elements of R with coefficients in a fixed set of coset representatives modulo q, and the set of coset representatives C P is a set of elements of R with coefficients in a fixed set of coset representatives modulo p.
54. The method of claim 53, wherein the private key elements f1,..., f n, the private message element m, and the private random elements .PHI.1,..., .PHI.i, satisfy conditions that include bounds on coefficients thereof.
55. The method of claim 32, wherein the ring R is a non-commutative ring of polynomials in two variables X and Y
subject to dihedral relations as follows X N = 1, Y2 = 1, and XY = YX N-1, the ideal Q of R is an ideal generated by an integer q, the ideal P of R is an ideal generated by an integer p, the set of coset representatives C Q is a set of polynomials in R of degree at most N - 1 in the variable X with coefficients chosen from a set of coset representatives modulo q, and wherein the set of coset representatives C P is a set of polynomials in R of degree at most N - 1 in the variable X
with coefficients chosen from a fixed set of coset representatives modulo p.
subject to dihedral relations as follows X N = 1, Y2 = 1, and XY = YX N-1, the ideal Q of R is an ideal generated by an integer q, the ideal P of R is an ideal generated by an integer p, the set of coset representatives C Q is a set of polynomials in R of degree at most N - 1 in the variable X with coefficients chosen from a set of coset representatives modulo q, and wherein the set of coset representatives C P is a set of polynomials in R of degree at most N - 1 in the variable X
with coefficients chosen from a fixed set of coset representatives modulo p.
56. The method of claim 55, wherein the private key elements f1,..., f n, the private message element m, and the private random elements .PHI.1,..., .PHI.i, satisfy conditions that include a condition that some of them lie in a commutative subring R0 of R consisting of all elements .PSI. of R which satisfy a condition Y.PSI. = .PSI.Y.
Applications Claiming Priority (3)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US2413396P | 1996-08-19 | 1996-08-19 | |
| US60/024,133 | 1996-08-19 | ||
| PCT/US1997/015826 WO1998008323A1 (en) | 1996-08-19 | 1997-08-19 | Public key cryptosystem method and apparatus |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CA2263588A1 CA2263588A1 (en) | 1998-02-26 |
| CA2263588C true CA2263588C (en) | 2005-01-18 |
Family
ID=21819032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CA002263588A Expired - Fee Related CA2263588C (en) | 1996-08-19 | 1997-08-19 | Public key cryptosystem method and apparatus |
Country Status (10)
| Country | Link |
|---|---|
| US (2) | US6081597A (en) |
| EP (1) | EP0920753B1 (en) |
| JP (1) | JP4068664B2 (en) |
| CN (1) | CN1172474C (en) |
| AU (1) | AU716797B2 (en) |
| CA (1) | CA2263588C (en) |
| DE (1) | DE69737097T2 (en) |
| HK (1) | HK1021855A1 (en) |
| IL (1) | IL128552A (en) |
| WO (1) | WO1998008323A1 (en) |
Families Citing this family (112)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10361802B1 (en) | 1999-02-01 | 2019-07-23 | Blanding Hovenweep, Llc | Adaptive pattern recognition based control system and method |
| US7362775B1 (en) | 1996-07-02 | 2008-04-22 | Wistaria Trading, Inc. | Exchange mechanisms for digital information packages with bandwidth securitization, multichannel digital watermarks, and key management |
| US5613004A (en) | 1995-06-07 | 1997-03-18 | The Dice Company | Steganographic method and device |
| US7664263B2 (en) | 1998-03-24 | 2010-02-16 | Moskowitz Scott A | Method for combining transfer functions with predetermined key creation |
| US6205249B1 (en) | 1998-04-02 | 2001-03-20 | Scott A. Moskowitz | Multiple transform utilization and applications for secure digital watermarking |
| US7177429B2 (en) | 2000-12-07 | 2007-02-13 | Blue Spike, Inc. | System and methods for permitting open access to data objects and for securing data within the data objects |
| US7346472B1 (en) | 2000-09-07 | 2008-03-18 | Blue Spike, Inc. | Method and device for monitoring and analyzing signals |
| US7457962B2 (en) | 1996-07-02 | 2008-11-25 | Wistaria Trading, Inc | Optimization methods for the insertion, protection, and detection of digital watermarks in digitized data |
| US5889868A (en) | 1996-07-02 | 1999-03-30 | The Dice Company | Optimization methods for the insertion, protection, and detection of digital watermarks in digitized data |
| US7159116B2 (en) | 1999-12-07 | 2007-01-02 | Blue Spike, Inc. | Systems, methods and devices for trusted transactions |
| US7095874B2 (en) | 1996-07-02 | 2006-08-22 | Wistaria Trading, Inc. | Optimization methods for the insertion, protection, and detection of digital watermarks in digitized data |
| US6052780A (en) * | 1996-09-12 | 2000-04-18 | Open Security Solutions, Llc | Computer system and process for accessing an encrypted and self-decrypting digital information product while restricting access to decrypted digital information |
| US7730317B2 (en) | 1996-12-20 | 2010-06-01 | Wistaria Trading, Inc. | Linear predictive coding implementation of digital watermarks |
| US6373986B1 (en) * | 1998-04-08 | 2002-04-16 | Ncr Corporation | Compression of data transmission by use of prime exponents |
| US6785388B1 (en) * | 1998-09-16 | 2004-08-31 | Murata Kikai Kabushiki Kaisha | Encryption method, decryption method, encryption/decryption method, cryptographic communications system, and computer usable medium |
| US6415032B1 (en) * | 1998-12-01 | 2002-07-02 | Xilinx, Inc. | Encryption technique using stream cipher and block cipher |
| US6733998B1 (en) * | 1998-12-07 | 2004-05-11 | Sloan-Kettering Institute For Cancer Research | Micromonospora echinospora genes coding for biosynthesis of calicheamicin and self-resistance thereto |
| US6654889B1 (en) | 1999-02-19 | 2003-11-25 | Xilinx, Inc. | Method and apparatus for protecting proprietary configuration data for programmable logic devices |
| US7664264B2 (en) | 1999-03-24 | 2010-02-16 | Blue Spike, Inc. | Utilizing data reduction in steganographic and cryptographic systems |
| US6959085B1 (en) | 1999-05-03 | 2005-10-25 | Ntru Cryptosystems, Inc. | Secure user identification based on ring homomorphisms |
| DE60021985T2 (en) * | 1999-05-27 | 2006-06-08 | Koninklijke Philips Electronics N.V. | METHOD OF DEVICE FOR SAFE PRODUCTION OF PUBLIC / SECRET KEY PAIRS |
| WO2001018628A2 (en) | 1999-08-04 | 2001-03-15 | Blue Spike, Inc. | A secure personal content server |
| JP2001211153A (en) * | 2000-01-25 | 2001-08-03 | Murata Mach Ltd | Secret key generating method |
| GB0013356D0 (en) * | 2000-06-01 | 2000-07-26 | Tao Group Ltd | A method of validating an encrypted message |
| GB0013399D0 (en) * | 2000-06-01 | 2000-07-26 | Tao Group Ltd | Decryption of cipher polynomials |
| GB0013355D0 (en) * | 2000-06-01 | 2000-07-26 | Tao Group Ltd | Parallel modulo arithmetic using bitwise logical operations |
| WO2002015455A2 (en) * | 2000-08-11 | 2002-02-21 | Storage Technology Corporation | Public key generation method and apparatus |
| US7127615B2 (en) | 2000-09-20 | 2006-10-24 | Blue Spike, Inc. | Security based on subliminal and supraliminal channels for data objects |
| US7155610B2 (en) | 2000-12-19 | 2006-12-26 | Matsushita Electric Industrial Co., Ltd. | Cryptocommunication system, transmission apparatus, and reception apparatus |
| US7181017B1 (en) | 2001-03-23 | 2007-02-20 | David Felsher | System and method for secure three-party communications |
| JP4188571B2 (en) * | 2001-03-30 | 2008-11-26 | 株式会社日立製作所 | Arithmetic method of information processing apparatus and tamper resistant arithmetic disturbance implementation method |
| EP1796308A3 (en) | 2001-05-04 | 2008-02-20 | NTT DoCoMo Inc. | Ring-based signature scheme |
| WO2002091664A1 (en) * | 2001-05-04 | 2002-11-14 | Docomo Communications Laboratories Usa, Inc. | Ring-based signature scheme |
| US8812398B2 (en) * | 2001-05-08 | 2014-08-19 | Qualcomm Incorporated | Key for a wireless-enabled device |
| US6510988B1 (en) | 2001-05-11 | 2003-01-28 | Eric M. Kraus | Identification bracelet |
| US7136484B1 (en) * | 2001-10-01 | 2006-11-14 | Silicon Image, Inc. | Cryptosystems using commuting pairs in a monoid |
| EP2148463A3 (en) * | 2001-10-19 | 2015-04-22 | Panasonic Intellectual Property Management Co., Ltd. | A numerical array output device, a numerical array output method, an encryption device, and a decryption device |
| KR100406138B1 (en) * | 2001-11-28 | 2003-11-14 | 한국전자통신연구원 | apparatus for NTRU Cryptosystem |
| JP2005515659A (en) * | 2001-12-07 | 2005-05-26 | エヌティーアールユー・クリプトシステムズ・インコーポレーテッド | Digital signature, authentication method and apparatus |
| US7287275B2 (en) | 2002-04-17 | 2007-10-23 | Moskowitz Scott A | Methods, systems and devices for packet watermarking and efficient provisioning of bandwidth |
| US6973579B2 (en) | 2002-05-07 | 2005-12-06 | Interdigital Technology Corporation | Generation of user equipment identification specific scrambling code for the high speed shared control channel |
| US7221757B2 (en) * | 2002-08-15 | 2007-05-22 | Opentv, Inc. | Method and system for accelerated data encryption |
| US7184551B2 (en) * | 2002-09-30 | 2007-02-27 | Micron Technology, Inc. | Public key cryptography using matrices |
| US20040105546A1 (en) * | 2002-11-19 | 2004-06-03 | Leon Chernyak | Geometry-Based Symmetric Cryptosystem Method |
| CN1692598A (en) * | 2002-12-03 | 2005-11-02 | 松下电器产业株式会社 | Key sharing system, shared key generating apparatus, and shared key restoring apparatus |
| KR20050083566A (en) * | 2002-12-03 | 2005-08-26 | 마츠시타 덴끼 산교 가부시키가이샤 | Key sharing system, shared key creation device, and shared key restoration device |
| US7249254B2 (en) * | 2002-12-13 | 2007-07-24 | Certicom Corp. | Method and apparatus for protecting NTRU against a timing attack |
| US9818136B1 (en) | 2003-02-05 | 2017-11-14 | Steven M. Hoffberg | System and method for determining contingent relevance |
| US7756269B2 (en) * | 2003-03-14 | 2010-07-13 | Qualcomm Incorporated | Cryptosystem for communication networks |
| JP4567364B2 (en) * | 2003-04-24 | 2010-10-20 | パナソニック株式会社 | Parameter generating apparatus, encryption system, decryption system, encryption apparatus, encryption method, decryption method, and program |
| EP1616405A1 (en) * | 2003-04-24 | 2006-01-18 | Matsushita Electric Industrial Co., Ltd. | Apparatus to generate parameter for ntru, ntru decryption and encryption system, apparatus, method and program implementing said parameter generating unit |
| US20060002562A1 (en) * | 2003-06-02 | 2006-01-05 | Arkady Berenstein | Method and apparatus for geometric key establishment protocols based on topological groups |
| JP4422981B2 (en) * | 2003-06-12 | 2010-03-03 | パナソニック株式会社 | Cryptographic communication system |
| KR100561847B1 (en) * | 2003-10-08 | 2006-03-16 | 삼성전자주식회사 | Method of public key encryption and decryption method |
| US7526643B2 (en) * | 2004-01-08 | 2009-04-28 | Encryption Solutions, Inc. | System for transmitting encrypted data |
| US8031865B2 (en) * | 2004-01-08 | 2011-10-04 | Encryption Solutions, Inc. | Multiple level security system and method for encrypting data within documents |
| US7752453B2 (en) * | 2004-01-08 | 2010-07-06 | Encryption Solutions, Inc. | Method of encrypting and transmitting data and system for transmitting encrypted data |
| JP4715748B2 (en) | 2004-03-31 | 2011-07-06 | 日本電気株式会社 | How to apply padding to ensure the security of cryptography |
| US7773746B2 (en) | 2004-05-12 | 2010-08-10 | Panasonic Corporation | Encryption system, encryption device, decryption device, program, and integrated circuit |
| US7590236B1 (en) * | 2004-06-04 | 2009-09-15 | Voltage Security, Inc. | Identity-based-encryption system |
| DE602006012935D1 (en) | 2005-01-24 | 2010-04-29 | Panasonic Corp | SIGNATURE GENERATION DEVICE, KEY GENERATION DEVICE AND SIGNATURE GENERATION PROCESS |
| US7917764B2 (en) | 2005-01-24 | 2011-03-29 | Panasonic Corporation | Signature generation device and signature verification device |
| US7694152B2 (en) * | 2005-02-03 | 2010-04-06 | International Business Machines Corporation | Memory controller with performance-modulated security |
| JPWO2006114948A1 (en) | 2005-04-18 | 2008-12-18 | 松下電器産業株式会社 | Signature generation apparatus and signature verification apparatus |
| WO2006115021A1 (en) | 2005-04-18 | 2006-11-02 | Matsushita Electric Industrial Co., Ltd. | Signature generation device and signature verification device |
| IE20050277A1 (en) * | 2005-05-04 | 2006-11-29 | Nat Univ Ireland | Method and apparatus for generating error-correcting and error-detecting codes using zero-divisors and units in group rings |
| US8874477B2 (en) | 2005-10-04 | 2014-10-28 | Steven Mark Hoffberg | Multifactorial optimization system and method |
| US8462940B2 (en) * | 2006-01-11 | 2013-06-11 | International Business Machines Corporation | Public key cryptosystem and associated method utilizing a hard lattice with O(n log n) random bits for security |
| US7941726B2 (en) * | 2006-06-30 | 2011-05-10 | Microsoft Corporation | Low dimensional spectral concentration codes and direct list decoding |
| KR100742093B1 (en) | 2007-05-10 | 2007-07-24 | 인하대학교 산학협력단 | A method for calculating a polynomial convolution operation for ntru encryption and decryption |
| FR2917920B1 (en) * | 2007-06-22 | 2009-10-09 | Centre Nat Rech Scient | AUTHENTICATION METHOD USING AN ERROR-CORRECTING CODE DECODING FROM A PUBLIC MATRIX |
| KR100876442B1 (en) | 2007-12-28 | 2008-12-29 | 인하대학교 산학협력단 | A secure method for calculating a polynomial convolution operation for an ntru cryptosystem |
| KR100875461B1 (en) | 2008-02-27 | 2008-12-23 | 인하대학교 산학협력단 | A method and a computer readable media resistant to power analysis attacks for calculating an ntru polynomial convolution operation |
| CN101965711B (en) | 2008-04-09 | 2014-12-03 | 松下电器产业株式会社 | Signature and verification method, signature generation device, and signature verification device |
| CN102016958A (en) | 2008-06-04 | 2011-04-13 | 松下电器产业株式会社 | Encryption device and encryption system |
| US20090313171A1 (en) * | 2008-06-17 | 2009-12-17 | Microsoft Corporation | Electronic transaction verification |
| US20100100947A1 (en) * | 2008-10-21 | 2010-04-22 | Apple Inc. | Scheme for authenticating without password exchange |
| GB0822870D0 (en) * | 2008-12-16 | 2009-01-21 | Hatton Leslie | Cryptography |
| FR2956541B1 (en) | 2010-02-18 | 2012-03-23 | Centre Nat Rech Scient | CRYPTOGRAPHIC METHOD FOR COMMUNICATING CONFIDENTIAL INFORMATION. |
| JP5491638B2 (en) * | 2010-10-26 | 2014-05-14 | 日本電信電話株式会社 | Proxy calculation system, calculation device, capability providing device, proxy calculation method, capability providing method, program, and recording medium |
| ITGE20110091A1 (en) | 2011-08-10 | 2013-02-11 | Carlo Pes | METHOD OF ENCRYPTION AND DRAWING |
| JP5790287B2 (en) * | 2011-08-12 | 2015-10-07 | ソニー株式会社 | Information processing apparatus, information processing method, program, and recording medium |
| JP6019453B2 (en) | 2012-07-05 | 2016-11-02 | 株式会社クリプト・ベーシック | ENCRYPTION DEVICE, DECRYPTION DEVICE, AND PROGRAM |
| US10148285B1 (en) | 2012-07-25 | 2018-12-04 | Erich Schmitt | Abstraction and de-abstraction of a digital data stream |
| WO2014016795A2 (en) | 2012-07-26 | 2014-01-30 | Nds Limited | Method and system for homomorphicly randomizing an input |
| TWI474189B (en) * | 2012-07-31 | 2015-02-21 | Chunghwa Telecom Co Ltd | Automatic file encryption and decryption system |
| US9634840B2 (en) * | 2013-07-23 | 2017-04-25 | Security Innovation Inc. | Digital signature technique |
| US9722798B2 (en) | 2014-02-10 | 2017-08-01 | Security Innovation Inc. | Digital signature method |
| US10795858B1 (en) | 2014-02-18 | 2020-10-06 | Erich Schmitt | Universal abstraction and de-abstraction of a digital data stream |
| CN106416119B (en) * | 2014-03-31 | 2019-10-11 | 爱迪德技术有限公司 | Protect software project |
| CN105337737B (en) * | 2014-07-03 | 2018-11-20 | 华为技术有限公司 | Public key encryption communication means and device |
| JP2018503113A (en) * | 2014-11-27 | 2018-02-01 | コーニンクレッカ フィリップス エヌ ヴェKoninklijke Philips N.V. | Electronic computing device for performing obfuscated operations |
| NL2013944B1 (en) * | 2014-12-09 | 2016-10-11 | Koninklijke Philips Nv | Public-key encryption system. |
| US20160352710A1 (en) | 2015-05-31 | 2016-12-01 | Cisco Technology, Inc. | Server-assisted secure exponentiation |
| TWI569166B (en) * | 2016-01-05 | 2017-02-01 | 精品科技股份有限公司 | Data verification method |
| US10277403B2 (en) | 2016-02-25 | 2019-04-30 | Onboard Security, Inc. | Digital signature method and apparatus |
| EP3244567A1 (en) | 2016-05-13 | 2017-11-15 | ABB Schweiz AG | Encryption for low-end devices through random number generation offloading |
| EP3364596A1 (en) * | 2017-02-15 | 2018-08-22 | Koninklijke Philips N.V. | Key exchange devices and method |
| US10924287B2 (en) * | 2017-06-23 | 2021-02-16 | Onboard Security, Inc. | Digital signature technique |
| DE102017117907B4 (en) * | 2017-08-07 | 2023-04-27 | Infineon Technologies Ag | Performing a cryptographic operation |
| FI128841B (en) * | 2018-03-22 | 2021-01-15 | Univ Helsinki | Sensor calibration |
| DE102018108313A1 (en) * | 2018-04-09 | 2019-10-10 | Infineon Technologies Ag | A method and processing apparatus for performing a grid-based cryptographic operation |
| CN108712256B (en) * | 2018-07-02 | 2021-10-26 | 复旦大学 | Encryption and decryption algorithm based on elliptic curve subdomain subcodes |
| WO2020016268A1 (en) * | 2018-07-17 | 2020-01-23 | Koninklijke Philips N.V. | Key encapsulation protocols |
| TWI672932B (en) * | 2018-09-27 | 2019-09-21 | 國立交通大學 | Post-quantum asymmetric key generation method and system, encryption method, decryption method, and encrypted communication system based on prime array |
| CN109543421A (en) * | 2018-12-12 | 2019-03-29 | 四川大学华西医院 | A kind of medical information protection system and method for discussing Encryption Algorithm based on polynomial number |
| CN111586685B (en) * | 2020-04-26 | 2022-05-03 | 重庆邮电大学 | Anonymous roaming authentication method based on lattices |
| GB202011415D0 (en) | 2020-07-23 | 2020-09-09 | Optalysys Ltd | Public-key cryptography methods and/or systems |
| EP4356548A1 (en) * | 2021-06-19 | 2024-04-24 | NTT Research, Inc. | Broadcast encryption with improved resource utilization |
| KR102595938B1 (en) * | 2021-12-02 | 2023-10-30 | 조선대학교산학협력단 | Polynomial inverse generating apparatus and method for an encryption system that encrypts and decrypts data using polynomials |
| KR102600166B1 (en) * | 2021-12-02 | 2023-11-08 | 조선대학교산학협력단 | Inverse generating apparatus and method for generating the inverse of a polynomial used in an encryption system that performs encryption/decryption of data using a polynomial |
| ES2948323A1 (en) * | 2022-02-15 | 2023-09-08 | Univ Granada | Post-quantum encryption/decryption procedure and device using linear codes (Machine-translation by Google Translate, not legally binding) |
Family Cites Families (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US4218582A (en) * | 1977-10-06 | 1980-08-19 | The Board Of Trustees Of The Leland Stanford Junior University | Public key cryptographic apparatus and method |
| US4405829A (en) * | 1977-12-14 | 1983-09-20 | Massachusetts Institute Of Technology | Cryptographic communications system and method |
| US4633036A (en) * | 1984-05-31 | 1986-12-30 | Martin E. Hellman | Method and apparatus for use in public-key data encryption system |
| US5054066A (en) * | 1988-11-16 | 1991-10-01 | Grumman Corporation | Error correcting public key cryptographic method and program |
| EP0383985A1 (en) * | 1989-02-24 | 1990-08-29 | Claus Peter Prof. Dr. Schnorr | Method for subscriber identification and for generation and verification of electronic signatures in a data exchange system |
| US5351297A (en) * | 1991-06-28 | 1994-09-27 | Matsushita Electric Industrial Co., Ltd. | Method of privacy communication using elliptic curves |
| US5231668A (en) * | 1991-07-26 | 1993-07-27 | The United States Of America, As Represented By The Secretary Of Commerce | Digital signature algorithm |
| US5271061A (en) * | 1991-09-17 | 1993-12-14 | Next Computer, Inc. | Method and apparatus for public key exchange in a cryptographic system |
| US5276737B1 (en) * | 1992-04-20 | 1995-09-12 | Silvio Micali | Fair cryptosystems and methods of use |
| US5299262A (en) * | 1992-08-13 | 1994-03-29 | The United States Of America As Represented By The United States Department Of Energy | Method for exponentiating in cryptographic systems |
| US5375170A (en) * | 1992-11-13 | 1994-12-20 | Yeda Research & Development Co., Ltd. | Efficient signature scheme based on birational permutations |
| NL9301348A (en) * | 1993-08-02 | 1995-03-01 | Stefanus Alfonsus Brands | Electronic payment system |
| ATE187588T1 (en) * | 1993-08-17 | 1999-12-15 | R3 Security Engineering Ag | PROCEDURE FOR DIGITAL SIGNATURE AND PROCEDURE FOR KEY AGREEMENT |
| WO1995015633A1 (en) * | 1993-12-01 | 1995-06-08 | William Michael Raike | A non-deterministic public key encryption system |
| US5668878A (en) * | 1994-02-28 | 1997-09-16 | Brands; Stefanus Alfonsus | Secure cryptographic methods for electronic transfer of information |
| US5625692A (en) * | 1995-01-23 | 1997-04-29 | International Business Machines Corporation | Method and system for a public key cryptosystem having proactive, robust, and recoverable distributed threshold secret sharing |
| US5577124A (en) * | 1995-03-09 | 1996-11-19 | Arithmetica, Inc. | Multi-purpose high speed cryptographically secure sequence generator based on zeta-one-way functions |
| FR2737370B1 (en) * | 1995-07-27 | 1997-08-22 | Bull Cp8 | CRYPTOGRAPHIC COMMUNICATION METHOD |
-
1997
- 1997-08-19 AU AU45828/97A patent/AU716797B2/en not_active Ceased
- 1997-08-19 CA CA002263588A patent/CA2263588C/en not_active Expired - Fee Related
- 1997-08-19 WO PCT/US1997/015826 patent/WO1998008323A1/en active IP Right Grant
- 1997-08-19 IL IL12855297A patent/IL128552A/en not_active IP Right Cessation
- 1997-08-19 JP JP51105198A patent/JP4068664B2/en not_active Expired - Fee Related
- 1997-08-19 DE DE69737097T patent/DE69737097T2/en not_active Expired - Lifetime
- 1997-08-19 EP EP97944301A patent/EP0920753B1/en not_active Expired - Lifetime
- 1997-08-19 CN CNB971984514A patent/CN1172474C/en not_active Expired - Fee Related
- 1997-08-19 US US08/914,449 patent/US6081597A/en not_active Expired - Lifetime
-
1999
- 1999-12-09 HK HK99105822A patent/HK1021855A1/en not_active IP Right Cessation
-
2000
- 2000-04-05 US US09/543,708 patent/US6298137B1/en not_active Expired - Lifetime
Also Published As
| Publication number | Publication date |
|---|---|
| EP0920753B1 (en) | 2006-12-13 |
| IL128552A (en) | 2004-06-01 |
| CN1232588A (en) | 1999-10-20 |
| HK1021855A1 (en) | 2000-07-07 |
| IL128552A0 (en) | 2000-01-31 |
| EP0920753A4 (en) | 2004-11-10 |
| AU716797B2 (en) | 2000-03-09 |
| CA2263588A1 (en) | 1998-02-26 |
| US6298137B1 (en) | 2001-10-02 |
| US6081597A (en) | 2000-06-27 |
| DE69737097T2 (en) | 2007-07-12 |
| JP2000516733A (en) | 2000-12-12 |
| DE69737097D1 (en) | 2007-01-25 |
| WO1998008323A1 (en) | 1998-02-26 |
| EP0920753A1 (en) | 1999-06-09 |
| CN1172474C (en) | 2004-10-20 |
| JP4068664B2 (en) | 2008-03-26 |
| AU4582897A (en) | 1998-03-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CA2263588C (en) | Public key cryptosystem method and apparatus | |
| May | Using LLL-reduction for solving RSA and factorization problems | |
| US5231668A (en) | Digital signature algorithm | |
| Chang | Single database private information retrieval with logarithmic communication | |
| Nguyen et al. | Lattice reduction in cryptology: An update | |
| Kuznetsov et al. | Code-based public-key cryptosystems for the post-quantum period | |
| US4306111A (en) | Simple and effective public-key cryptosystem | |
| Zheng et al. | Practical approaches to attaining security against adaptively chosen ciphertext attacks | |
| Vanstone et al. | Elliptic curve cryptosystems using curves of smooth order over the ring Z/sub n | |
| US20020041684A1 (en) | Public-key encryption and key-sharing methods | |
| JP2000502196A (en) | Control self-map public key system | |
| EP1287641B1 (en) | A method of validating an encrypted message | |
| WO2008022158A2 (en) | System for non-interactive zero-knowledge proofs | |
| JP2003535362A (en) | Decryption of cryptographic polynomial | |
| US20060251248A1 (en) | Public key cryptographic methods and systems with preprocessing | |
| US20080019508A1 (en) | Public key cryptographic methods and systems with rebalancing | |
| Buchmann et al. | Efficiency improvement for NTRU | |
| Varadharajan et al. | Public key cryptosystems based on boolean permutations and their applications | |
| Hemenway et al. | Public key encryption which is simultaneously a locally-decodable error-correcting code | |
| Bayane et al. | A novel digital signature based on error correcting codes | |
| Yan et al. | Number-Theoretic Cryptography | |
| Mittal et al. | McEliece and Blum-Goldwasser group rings based probabilistic cryptosystems | |
| JP3240723B2 (en) | Communication method, secret communication method and signature communication method | |
| Rastaghi | New approach for CCA2-secure post-quantum cryptosystem using knapsack problem | |
| US20060013403A1 (en) | Factorization-based encryption method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| EEER | Examination request | ||
| MKLA | Lapsed |
Effective date: 20130820 |