Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From - PowerPoint PPT Presentation

Mod-NTRU trapdoors and applications Alexandre Wallet Lattices: From Theory to Practice Simons Institute, 29/04/2020 Based on a joint work with Chitchanok Chuengsatiansup, Thomas Prest, Damien Stehlé and Keita Xagawa, ePrint 2019/1456 1/17 A. Wallet

Today’s talk A larger class of almost “optimal” trapdoors from NTRU modules Known applications: (not detailed today) (A) New meaningful security/efficiency trade-offs for GPV signatures Acceptably efficient PKE/KEM à la NTRUEncrypt (B) Extension of [DLP’14]’s IBE (A) see our article (B) Cheon, Kim, Kim, and Son, ePrint 2019/1468 2/17 A. Wallet

Roadmap Lattice trapdoors, NTRU lattices 1 Hard NTRU lattices with half-trapdoors 2 Completing the trapdoor, application to signatures 3 3/17 A. Wallet

Lattice trapdoors Parity-check lattices For A ∈ Z m × n and q ∈ Z q ( A ) = { x ∈ Z m : xA = 0 mod q } . Λ ⊥ q ( A )) A are “hard lattices”: for A ← U ( Z m × n [Ajt’96] (Λ ⊥ ) , SIS m,q ≥ SIVP poly( n ) q A trapdoor is a short basis B of Λ ⊥ q ( A ) . ( � B � max := max i � b i � is small) What is “optimal”? � � q ( A )) 1 /m , where � B � max ≈ Vol(Λ ⊥ B = GSO ( B ) . 4/17 A. Wallet

Canonical example: GPV signatures If B is basis of Λ ⊥ q ( A ) , then BA = 0 mod q Simplified Sign B (msg) : Simplified Verif A (msg , s ) : c such that cA = H (msg) If � s � too big, refuse. v ← D L ( B ) , c ,σ with TheSampler † If sA � = H (msg) , refuse. Signature: s = c − v . Accept. Requirements B Gaussian of std.dev. σ ⇒ � s � ≈ σ √ m σ small ⇒ � B short Want n and q s.t. SIS m,q,σ √ m is hard � Hard to compute B from A Method determines m = m ( n, q ) . Easy to generate ( A , B ) † : remember Thomas’ talk 5/17 A. Wallet

Development of lattice trapdoors � Algorithms to generate trapdoored hard lattices: B = GSO ( B ) ✕ optimal [Ajt’99] A hard and � B � max = O ( m 5 / 2 ) . ✕ practical [AP’09] A hard, m = Ω( n log q ) ✓ optimal B � max = O ( √ n log q ) ✕ practical � � 6/17 A. Wallet

Development of lattice trapdoors � Algorithms to generate trapdoored hard lattices: B = GSO ( B ) ✕ optimal [Ajt’99] A hard and � B � max = O ( m 5 / 2 ) . ✕ practical [AP’09] A hard, m = Ω( n log q ) ✓ optimal B � max = O ( √ n log q ) ✕ practical � � [MP’12] Meaningful improvements getting there! B � = O ( √ n log q ) But still � � 6/17 A. Wallet

Development of lattice trapdoors � Algorithms to generate trapdoored hard lattices: B = GSO ( B ) ✕ optimal [Ajt’99] A hard and � B � max = O ( m 5 / 2 ) . ✕ practical [AP’09] A hard, m = Ω( n log q ) ✓ optimal B � max = O ( √ n log q ) ✕ practical � � [MP’12] Meaningful improvements getting there! B � = O ( √ n log q ) But still � � [DLP’14] A an NTRU lattice, m = 2 n B � max ≈ √ q ✓ optimal � � ✓ practical Today : A an NTRU lattice, m = cn � � c . 1 B � max ≈ q 6/17 A. Wallet

NTRU modules f = � i f i X i R = Z [ X ] / ( φ ) , deg φ = n , irreducible. q a prime ( f 0 , . . . , f n − 1 ) or T ( f ) multiplication matrix F ∈ R m × m invertible mod q , G ∈ R m × k 7/17 A. Wallet

NTRU modules f = � i f i X i R = Z [ X ] / ( φ ) , deg φ = n , irreducible. q a prime ( f 0 , . . . , f n − 1 ) or T ( f ) multiplication matrix F ∈ R m × m invertible mod q , G ∈ R m × k q ([ H | − I k ]) = { ( u , v ) ∈ R ( m + k ) : uH − v = 0 mod q } , L m,k NTRU := Λ ⊥ (full) rank ( m + k ) n lattice with volume q kn easy (public) basis: Minima, covering radius, smoothing parameter all are ≈ q k/ ( m + k ) 7/17 A. Wallet

Use of NTRU modules Non exhaustive; all of these are for m = k = 1 PKE/KEM: Signatures: NTRUEncrypt [HPS’98] NTRUSign [HHS+’03] NTRUEnc-HRSS [HH+’17] Falcon (from [DLP’14] from [GPV’08]) NTRUPrime [BCLV’17] BLISS [DDLL’13] Advanced: HE [LTV’12] Multilinear maps [GGH’13] IBE [DLP’14] 8/17 A. Wallet

Where are we? Lattice trapdoors, NTRU lattices 1 Hard NTRU lattices with half-trapdoors 2 Trapdoor generation, a starter Hardness of trapdoored NTRU Completing the trapdoor, application to signatures 3 9/17 A. Wallet

How to generate a useful NTRU module � F � G should give us � � T ( B ) � max ≈ q k/ ( m + k ) Trapdoor basis B = ∗ ∗ Lemma: If B = [ b 1 , . . . , b m + k ] , then: � � T ( B ) � max = max i {� � b 1 � , . . . , � � b m + k �} ≥ q k/ ( m + k ) A starter: take s ≈ q k/ ( m + k ) 1) Sample b i ← D m + k for 1 ≤ i ≤ m R,s 2) Parse as [ b 1 , . . . , b m ] = [ F | G ] ; restart if F not invertible mod q 10/17 A. Wallet

How to generate a useful NTRU module � F � G should give us � � T ( B ) � max ≈ q k/ ( m + k ) Trapdoor basis B = ∗ ∗ Lemma: If B = [ b 1 , . . . , b m + k ] , then: � � T ( B ) � max = max i {� � b 1 � , . . . , � � b m + k �} ≥ q k/ ( m + k ) A starter: take s ≈ q k/ ( m + k ) 1) Sample b i ← D m + k for 1 ≤ i ≤ m R,s 2) Parse as [ b 1 , . . . , b m ] = [ F | G ] ; restart if F not invertible mod q Caveat: orthogonal projections shrink vectors by some factor γ i ⇒ b 1 will be maximal, completion of basis will compensate. 10/17 A. Wallet

How to generate a useful NTRU module � F � G should give us � � T ( B ) � max ≈ q k/ ( m + k ) Trapdoor basis B = ∗ ∗ Lemma: If B = [ b 1 , . . . , b m + k ] , then: � � T ( B ) � max = max i {� � b 1 � , . . . , � � b m + k �} ≥ q k/ ( m + k ) A better start: set s i ≈ γ i · q k/ ( m + k ) 1) Sample b i ← D m + k R,s i for 1 ≤ i ≤ m 2) Parse as [ b 1 , . . . , b m ] = [ F | G ] ; restart if F not invertible mod q Output a half-trapdoor for H = F − 1 G mod q . Remaining problems: Is Λ ⊥ q ( H ) a hard lattice ? How to complete the basis? Will the completion be nice? 10/17 A. Wallet

How hard are trapdoored NTRU lattices? “NTRU assumption” Computational Decisional Hard to distinguish H from U ( R m × k Hard to compute F , G from H ) q Well, if not, it’s not a trapdoor... Needed for Λ ⊥ q ( H ) to be “hard” Call E s the distribution of H = F − 1 G mod q 11/17 A. Wallet

How hard are trapdoored NTRU lattices? “NTRU assumption” Computational Decisional Hard to distinguish H from U ( R m × k Hard to compute F , G from H ) q Well, if not, it’s not a trapdoor... Needed for Λ ⊥ q ( H ) to be “hard” Call E s the distribution of H = F − 1 G mod q New result: Φ = X n + 1 , n a power of two, q ≡ 3 mod 8 , for 3 k ≥ m ≥ 1 k When s ≥ � m + k ) , then E s ≈ U ( R m × k O ( n · q ) q [SS’11] for m = k = 1 , the result hold for all q . Strongly supports hardness of the trapdoored NTRU lattices 11/17 A. Wallet

On the uniformity of the public basis New result: Φ = X n + 1 , n a power of two, q ≡ 3 mod 8 , for 3 k ≥ m ≥ 1 , k when s ≥ � m + k ) , then E s ≈ U ( R m × k O ( n · q ) q Intermediate useful result: if q = p 1 . . . p r , when s ≥ � 1 2 r ) , then P F ← D m × m 4 n O ( n · q [ F invertible mod q ] ≥ 1 − q n/r R,s 12/17 A. Wallet

On the uniformity of the public basis New result: Φ = X n + 1 , n a power of two, q ≡ 3 mod 8 , for 3 k ≥ m ≥ 1 , k when s ≥ � m + k ) , then E s ≈ U ( R m × k O ( n · q ) q Intermediate useful result: if q = p 1 . . . p r , when s ≥ � 1 2 r ) , then P F ← D m × m 4 n O ( n · q [ F invertible mod q ] ≥ 1 − q n/r R,s Proof ideas/tools: Inspired of [SS’11] and [LPR’13] Involve module “multi-lattices” (additive subgroups of M m ( R ) , see also [BF’11]) { Mod q invertibles } is not a lattice; our strategy to describe it: inclusion/exclusion over *all* lattices containing q M m ( R ) (They correspond to *all* r -uples of subspaces of ( F q n/r ) m ) 12/17 A. Wallet

Lattice trapdoors, NTRU lattices 1 Hard NTRU lattices with half-trapdoors 2 Trapdoor generation, a starter Hardness of trapdoored NTRU Completing the trapdoor, application to signatures 3 13/17 A. Wallet

Generating a somewhat short basis 1 From now on, k = 1 and m ≥ 1 . with [ F | g ] = [ b 1 , . . . , b n ] and b i ← D m +1 R,s i Now, need ( f ′ , g ′ ) ∈ R m +1 such that

Generating a somewhat short basis 1 From now on, k = 1 and m ≥ 1 . with [ F | g ] = [ b 1 , . . . , b n ] and b i ← D m +1 R,s i With Shur’s complement and Now, need ( f ′ , g ′ ) ∈ R m +1 such that adj( F ) = det( F ) · F − 1 ∈ R m × m : D = det( F ) · det( g ′ − f ′ · F − 1 · g ) = g ′ · det( F ) − f ′ · adj( F ) g � �� � � �� � known known ∈ R m ∈ R Take f ′ = ( . . . , 0 , f ′ i , 0 , . . . ) ⇒ back to solving an NTRU equation (remember Thomas’ talk) 1 For another approach, see Cheon et al. ePrint 2019/1468 14/17 A. Wallet

Almost optimal trapdoors Last problem: how large is b m +1 = ( f ′ , g ′ ) ? q Since all � � b i � ’s are about q 1 / ( m +1) , Fact 1: � � b m +1 � ≥ � i � � � � b i � b m +1 � should be, too. Fact 2: � � b m +1 � computable from � b 1 , . . . , � b m without knowing b m +1 15/17 A. Wallet