Recovering NTRU Secret Key From Inversion Oracles Petros Mol - PowerPoint PPT Presentation

Recovering NTRU Secret Key From Inversion Oracles Petros Mol (University of California, San Diego) Petros Mol (University of California, San Diego) and and Moti Yung (Google Inc. /Columbia) Moti Yung (Google Inc. /Columbia) PKC 2008 1

Presentation Outline  Overview of NTRUEncrypt  Modeling Inverting Algorithms with Inversion Oracles  Reducing Key Recovery to the Inversion of the NTRU Function  Conclusions 2

Motivation • Rabin Cryptosystem : Finding square roots modulo a composite N Recovering sk=(p,q) (Factoring N) ⇒ • RSA : Can we factor N if we can invert f(x)=x e (mod N)?? (The answer is believed to be negative) This work: Can we recover the NTRU secret key if we are able to invert the NTRU Function ? Scenarios Perfect Inversion Oracles i) Full output of the preimage ii) YES/NO output (Decisional Version) 3

The NTRUEncrypt Scheme Notation N − 1  :ring of truncated polynomials P = Z q [ X ]/ X • B, B(d): binary polynomials (resp. with Hamming weight d) Ring Multiplication ∑ where f  x ∗ g  x = h  x  h k = f i ⋅ g j i  j ≡ k  mod N  The operator * is both commutative and associative Inverse of a polynomial p P ∗ p ≡ 1  mod q  4

Parameter Set  N : All the polynomials have degree up to N-1 (N should be prime and sufficiently large to resist lattice attacks )  q, p : the large and the small modulus respectively.  L f, L g : Private Key Spaces (polynomials with small coefficients)  L r L m : Blinding value and plaintext space respectively  center: A centering algorithm Key Generation • Choose uniformly at random polynomials f ∈ L f ,g ∈ L g • Compute . If either or does f q f p f q ≡ f − 1  mod q  ,f p ≡ f − 1  mod p  not exist or g is not invertible mod q, return to step 1. • Compute h ≡ f q ∗ p ∗ g  mod q  Public Key: h , Private Key (f,f p ) • 5

Encryption 1) Select uniformly at random a blinding value r ∈ L r 2) Apply the NTRU function to the message polynomial m ∈ L m e = E  m ,r = h ∗ r  m  mod q  Decryption • Compute a ≡ f ∗ e  mod q   a ≡ f ∗ h ∗ r  f ∗ m ≡ p ∗ g ∗ r  f ∗ m  mod q  Using a and a centering algorithm compute a polynomial A s.t • A=p*r*g + f*m over the integers. Compute m (mod p)= f p *A (mod p) • Recover m in L m from m (mod p) • 6

Instantiations of NTRU L f L f L g L g L m L m L r L r Var Var q q p p F F Dec.Fail Dec.Fail T  d f ,d f − 1  T  d g ,d g  T  d r ,d r  k ∈ [ N T  d f ,d f − 1  T  d g ,d g  T T  d r ,d r  k ∈ [ N T 1998 1998 3 - YES 3 - YES 2 2 , N ] 2 2 , N ] B  d g  B B  d r  B  d F  k ∈ [ N 1  p ∗ F k ∈ [ N B  d g  B B  d r  B  d F  1  p ∗ F 2001 2+x YES 2001 2+x YES 2 2 , N ] 2 , N ] 2 B  d g  B B  d r  B  d F  1  p ∗ F B  d g  B  d r  B  d F  1  p ∗ F B 2005 Prime 2 NO 2005 Prime 2 NO 1  p ∗ F T  d,e  T  d,e  T  d,e  T  d,e  k 2 1  p ∗ F T  d,e  T  d,e  T  d,e  T  d,e  2007 k 3 YES 2 2007 3 YES Hamming weights of polynomials g, r, F resp. d g ,d r , d F all are known public parameters 7

Previous work: e m f p f CCA framework Attack #Queries Dec. Failures Ciphertexts reply Applicability Shape of f Jaulmes,Joux small - invalid full output unpadded NTRU-1998 Hong et al. very small - invalid full output unpadded 1+p*F Hoffstein, Silv. large required invalid YES/NO unpadded any shape Howgrave et al. large required valid YES/NO padded any shape Gama, Nguyen small (?) required valid full output padded any shape This work: Black Box • #Queries: Depends • Dec. Failures: not required ? • reply: Both full and YES/NO e m • Applicability: unpadded • Shape of f: 1+p*F 8

Valid Challenges d r ={ e ∈ℤ q N ∣ ∃ r ∈ B  d r  , m ∈ B:e ≡ h ∗ r  m  mod q  } E q ,h Perfect Inversion Oracles i) Full output Oracle All pair(s)  r ,m ∈ B  d r  , B  d r e ∈ E q,h s.t e ≡ h ∗ r  m  mod q  N e ∈ Z q orc1 ? d r e ∉ E q,h ii) Decision Oracle ∈ d e E YES r q , h e ∈ N Z orc1 DEC q ? ∉ d e E r 9 q , h

NTRU Universal Breaking (UB NTRU ) UB NTRU is (p, orc, Q)-solvable if there exists an algorithm, polynomial in Q, which fully recovers f with probability at least p by querying oracle orc at most Q times. Rewriting the Key Generation Equation f ∗ h ≡ p ∗ g  mod q ⇒ 1  p ∗ F ∗ h ≡ p ∗ g  mod q ⇒ p q ∗ 1  p ∗ F ∗ h ≡ g  mod q  ⇒ p q ∗ h  h ∗ F ≡ g  mod q ⇒ u − p q ∗ h ≡ h ∗ F  u − g  mod q  where and both F, =u-g are binary. − = + + + N 1 u 1 X ... X g  (known from the public information) t ≡ u − p q ∗ h  mod q  similar to inversion instance t ≡ h ∗ F  g  mod q  10

1) Universal Breaking With Orc1 Case 1: d F =d r. Then by definition and thus upon querying orc1 on t , ∈ , = d d t E E r F q h q , h we expect to recover (and thus f, g) F , g Case 2: d F =d r + d . Let for indices . Then i 1 ,i 2 , ... ,i d F i 1 = F i 2 = ... = F i d = 1 i d ∈ B  d r  i 1 − X i 2 − ... − X F − X i 1  X i 2  ...  X i d ≡ h ∗ F − X i 1 − X i 2 − ... − X i d  t − h ∗ X g  mod q  Thus and we can recover F,g by − + + + ∈ i i i d t h * ( X X ... X ) E 1 2 d r q , h querying orc1 on − + + + i i i t h * ( X X ... X ) 1 2 d Case 3: d F = d r − d , N − d F = d r ± d T his case is symmetrical to case 2 and can be analyzed similarly. 11

Working Out the Details… The complexity of the key recovery algorithm depends on: a) The pairs orc1 returns upon being queried on valid challenges. b) The total number of queries until a valid challenge is found. a) Bounding orc1’s output [NTRU Collision Pair] : It is a pair ((r 1 ,m 1 ),(r 2 ,m 2 )) with such that ∈ ( r , m ) ( B ( d ), B ) i i r  r 1 ,m 1 ≠ r 2, m 2  but E  r 1, m 1 = E  r 2, m 2  [Set of Preimages] : Let be a valid challenge N e ∈ℤ q preimg  e ={ x i = r i , m i ∣ r i ∈ B  d r  , m i ∈ B, h ∗ r i  m i ≡ e  mod q } 12

Proposition: On input the standard NTRU decryption d r e ∈ E q ,h algorithm fails to decrypt with prob. at least 1-1/|prei mg(e)| Implication: Collisions Decryption Failures Corollary: In NTRU-2005, collisions are impossible. The Preimage Assumption: For each , |preimg(e)| is d r e ∈ E q ,h “small” (polynomially bounded) Output of orc1 on input e: Polynomially bounded 13

b) Bounding the number of queries addressed to orc1 • N coefficients, M=d F 1s, d=d F -d r coef. picked at each guess. • μ(N,M,d): number of guesses for finding d “correct” indices − +   N M d   µ ≤ ( N , M , d )   d   1 st Reduction: UB NTRU is (1,orc1,μ(N, d F , d F -d r )) –solvable. In particular, if d=d F -d r is a small constant (compared to N), then UB NTRU can be solved within a polynomial number of queries to orc1. Probabilistic analysis      d    F N         − d d UB NTRU is –solvable.     ε ⋅ − − ε , orc 1 , 1 1 F r       −   d d       F r   14

2) Universal Breaking With Orc1 DEC Theorem: Ignoring collisions (of trinary polynomials), UB NTRU is  −    N d   -solvable  r  DEC + + − − 1 , orc 1 , N d d 1     − r F d d     F r Proof Sketch: At j-th step we pick and query = ( j ) ( j ) ( j ) ( j ) I ( i , i ,..., i ) 1 2 d ( j ) ( j ) ( j ) Orc1 DEC on . − i + i + + i t h * ( X X ... X ) 1 2 d I  j  ( , j I is s.t. ≠ ∀ ≠ and ∀ ≥ ∃ < s.t. ( j ) ( k ) ( j ) I I j k I , j 2 k j ) ( k ) I differ at exactly one index which can be efficiently found. Let lead to a “YES” reply from Orc1 DEC . Then by construction ( m ) I −   (i) N d  r  ≤ m   − d d   F r = = = = F F ... F 1 (ii) (we have assumed no collisions) ( m ) ( m ) ( m ) i i i 1 2 d k (iii) We can efficiently find a configuration and an index ( k ) i I j = such that . 15 F 0 k i j