aa r X i v : . [ c s . CR ] F e b NNRU, a noncommutative analogue of NTRU
Nitin Vats
Indian Institute of Science, Bangalore, India [email protected]
Abstract.
NTRU public key cryptosystem is well studied lattice-basedCryptosystem along with Ajtai-Dwork and GGH systems. UnderlyingNTRU is a hard mathematical problem of finding short vectors in a cer-tain lattice. (Shamir 1997) presented a lattice-based attack by which hecould find the original secret key or alternate key. Shamir concluded ifone designs a variant of NTRU where the calculations involved duringencryption and decryption are non-commutative then the system willbe secure against Lattice based attack.This paper presents a new cryp-tosystem with above property and we have proved that it is completelysecure against Lattice based attack. It operates in the non-commutativering M = M k ( Z )[ X ] / ( X n − I k × k ), where M is a matrix ring of k × k matrices of polynomials in R = Z [ X ] / ( X n − O ( k . ) over NTRU for the same bitof information. Keywords: public key cryptosystem, NTRU, lattice based cryptosystem.
The first version of NTRU was proposed by (Hoffestein 1996). It has been as-sessed recently as the fastest public key cryptosystem [1]. Its strong points areshort key size, and speed of encryption and decryption. Two assets of crucialimportance in embarked application like hand held device and wireless systems. The description of NTRU system is given entirely in terms of quotient ring ofInteger polynomials. The most expected attack on this system is Lattice-basedattack. The NTRU public key cryptosystem [1] relies for its security on thepresumed difficulty of solving the shortest[7,12] and closest vector problem incertain lattices related to the cyclotomic ring Z [ X ] / ( X n − Nitin Vats we can partially decrypt it by adding the pieces to get the whole. So addedsecurity can be achieved by increasing the dimensions of the lattice but it willdecrease the speed for encryption and decryption that is the key property ofNTRU.In this paper we present another variant of NTRU, we will call it NNRU.Our focus involves extension to noncommutative groups instead of using groupalgebra over Z n (that is, the ring Z q [ X ] / ( X n −
1) ).NNRU operates in the ring of k by k matrices of k different polynomialsin R = Z [ X ] / ( X n −
1) ). As matrix multiplication in NNRU is strictly non-abelian. Adversary will have to find out two ring elements. So search space willbe square times than that of NTRU. In section 5 we have shown that NNRUis completely secure against lattice attack that was more likely on NTRU andits varients.We can compare an instance of NTRU by putting n ( k ) = N .Encryption and decryption in NTRU needs O ( N ) or O ( nk ) operations for amessage block on length of N but in NNRU for same bit of information we need O ( nk . ) operations if we use coppersmith algorithms for matrix multiplica-tion. that is considerable speed improvement over original NTRU. Inversion ofpolynomial matrix can be done quickly with less memory-expense by the algo-rithm suggested in [28]. Moreover polynomial matrix computations can be solvedin ˜ O ( nk e )by reducing polynomial matrix multiplication to determinant compu-tation and conversely, under the straight line model [27]. Here ˜ O denotes somemissing log ( nk ) factors and e is exponent of matrix multiplication over R .The paper is organized as follows. Section 2 gives some notation and normestimation, that help our analysis . In section 3 we briefly sketch NNRU cryp-tographic system. In section 4 we discuss constraints for parameters. Details ofthe security analysis of NNRU system is given in sections 5. Section 6 showsperformance analysis and comparison with NTRU. All computations in NNRU are performed in the ring M = M k ( Z )[ X ] / ( X n − I k × k ), where M is a matrix ring of k × k matrices of elements in the ring R = Z [ X ] / ( X n − a + a x + ... + a n − x n − of R can be represented as n -tuple of integers [ a , a , ..., a n − ]. Addition in R is performed componentwise,and multiplication is a circular convolution. We define width of an element M ∈ M to be k M k ∞ = Max(coeff.in polys. m ∈ M ) − Min(coeff.in polys. m ∈ M )The width of matrices M ∈ M is difference between maximum and minimumcoefficient in any of k polynomials of it. We say a matrix M ∈ M is short if k M k ∞ ≤ p. NRU, a noncommutative analogue of NTRU 3
The width of the product of two matrices is also be short as it is very less than q , though it may be slightly more than p . We define width of the polynomial r ∈ R to be k r k ∞ = Max(coeff. in r ) − Max(coeff. in r )Similarly the polynomial r is said to be short if k r k ∞ ≤ p. Basically width of M or r is a sort of L ∞ norm on M or R respectively. Inthis paper we are essentially using all calculation on the L norm to producean estimate of its L ∞ norm. For precisely evaluating the properties we need toestimate L ∞ but L norm is comparatively easy to estimate. We are giving aproposition between L ∞ and L norm by which we can do all calculations on L norm and estimate on L ∞ norm. It is based on experiments and suggestionsdue to Don Coppersmith[1]Let k r k be the L norm for a random polynomials r . Then following propo-sition is true for random polynomials r , r ∈ R with small coefficients . k r ∗ r k ≈ k r k . k r k and k r ∗ r k ∞ ≈ γ k r k . k r k where , γ < .
15 for n < . (1)Now we define a centered L norm on M .We denote it by the notation k M k . k M k = s X (polys .m ∈ M ) X (Coeff. in m − µ ) )where µ = nk (cid:16)P (polys .m ∈ M ) P (Coeff. in m ) (cid:17) is the average of all coef-ficient in all the polynomial in matrices M . Its value will be close or equal tozero. Equivalently k M k / √ nk is standard deviation of the coefficients of thepolynomials in M ∈ M . In this paper we do analysis on L centered norm of M and can deduce results on L ∞ norm by using result (1).The proposition (1) can be extended to the centered L norm on M . Considerany κ > γ , γ > M , M ∈ M Wetherefore express k M ∗ M k ≈ k M k . k M k and γ k M k . k M k ≤ k M ∗ M k ∞ ≤ γ k M k . k M k (2)On the basis of experimental evidence and due to Don Coppersmith[1], Thepreposition holds good with probability greater than 1 − κ for small κ . It canbe shown experimentally that even for larger value of nk , the value of γ /γ issomewhat between zero and one (moderately larger than zero). Nitin Vats
NNRU cryptosystem depends on four positive integer parameters ( n, k, p, q ) with p and q relatively prime and four sets of matrices ( L f , L c , L φ , L m ) ⊂ M . Notethat q will always be considered much larger than p . In this paper, for ease ofexplanation, we stick to p = 2 or 3, and q ranges between 2 to 2 . When wedo Matrix multiplication modulo p (or q ), we mean to reduce the coefficients ofthe polynomial in matrices modulo p (or q ).The set of matrices ( L f , L c , L φ , L m ) consists of all matrices of polynomi-als in the ring R = Z [ X ] / ( X n − L f , L c , L φ ) containspolynomials from the set of polynomials L ( d , d ) L ( d , d ) def = { u ∈ R | u has d coeff. equal 1 , d coeff. equal − , and rest 0 } . where, d = d < n/ d = d ≈ n/p The space of message L m consists of all matrices of polynomials with coeffi-cients modulo p .We therefore express L m def = { M ∈ M | polynomial in M has coeff. lying between − p − and p − } .Here we explain individually the meaning and compositions of the all foursets of matrices ( L f , L c , L φ , L m ) ⊂ M :1. L f with elements f and g , and L φ with elements φ consist of small matricesof polynomials f and g , are used to compose private key while φ will be usedas blinding value for each encryption. L f must satisfy the requirement tohave inverse modulo p and modulo q .2. element w and c belongs to matrix set L w and L c respectively. L c shouldsatisfy the requirement that to have inverse modulo p . w and c are used toconstruct public key.3. the set of message L m consist of matrices of polynomials with coefficientsmodulo p .We therefore express L m = (cid:26) M ∈ M | ( Polys.) (in) M ∈ (cid:18) − p − · · · · · · p − (cid:19) n ⊆ R (cid:27) To create a NNRU public/private key pair Bob randomly chooses f, g ∈ L f and w ∈ L w and c ∈ L c . Matrices f must satisfy additional requirement to haveinverse modulo p and q . Matrices g and c should have inverse modulo p . Wedenote these inverses by notation F p , F Q , G P , C p respectively. f F q ≡ I (mod q ) and g G p ≡ I (mod p ) NRU, a noncommutative analogue of NTRU 5 G q g ≡ I (mod q ) and C p c ≡ I (mod p )Bob next computes the matrices h ≡ wG q (mod q ) (3) H ≡ F q c (mod q ) (4)Bob publish the pair of matrices ( h, H ) ∈ M as his public key, retaining( f, g, c ) as his private key. Polynomial C p and G p is simply stored for later use. Suppose Alice(the encryptor)wants to send a message to Bob (the decryptor).Alice selects a message m from the set of plaintext L m . Next, Alice randomlychoose a matrices φ ∈ L φ and use, Bob’s public key ( h, H ) to compute (theciphertext e ) e ≡ pφh + Hm (mod q )Alice then transmit e to Bob. A different random choices of blinding value φ is made for each plaintext m . To decrypt the cipher text, Bob first compute A ≡ f eg (mod q ) A ≡ f ( pφh + Hm ) g (mod q ) A ≡ f pφhg + f Hmg (mod q ) A ≡ pf φwG q g + f F q cmg (mod q ) A ≡ pf φw + cmg (mod q )Where he choose the coefficients of the polynomials of the matrices A to liein interval of − q/ q/ φ , g , f , m , c and w have polynomials with small coefficients and p is much smaller than q . It ishighly probable for the appropriate parameter choice of the members, matrices pf φw + cmg , before reducing mod q , has polynomials with coefficients of absolutevalue less than q/
2. Bob next computes the matrices BB ≡ A (mod p ) B ≡ cmg (mod p )He reduces each coefficient of the element of A to modulo p . Finally Bob useshis other private keys C p and G p to recover the original message. C ≡ C p cmgG p (mod p ) C ≡ m (mod p ) Nitin Vats
The matrix C will be the original message m aspolynomial in m ∈ (cid:18) − p − · · · · · · p − (cid:19) n ⊆ R Our selection is based on the following three requirements1. f φw and cmg should be small in order for decryption to work.2. Appropriate selection of f , g and c prevent a private key attack.3. Appropriate selection of φ and m prevent plain text attack.The key point is that decryption will only work if f φw and cmg are not toolarge so we want to keep | pf φw + cmg | ∞ should be small. For security reasons,it is important that w , remains secret from attacker. On average | w | ≈ | m | . thistype of selection follows | pf φw | ≈ | cmg | As already described that we are selecting f , g from L f , c from L c and w from L w , m from L m which gives d = d ≈ n/p ; that ensure to maximize thenumber of possible choices for polynomials of these matrices. To decrypt the cipher text, attackers need to know the private key f , g and c correctly. Attacker can try all possible f, g ∈ L f so that hg (mod q ) should havepolynomials with small entries or by finding all g ∈ L f and testing if f H ( mod q )have polynomial with small entries. Out of these small f H (mod q ), one will be c (mod q ). So attacker need to search pair of ( f, g ). f and g are determined by2 k polynomials, each of them having maximum degree ( n − f, g ) pairs areKey Security = (cid:20) n !( n − d f )! d f ! (cid:21) k Here d f and d φ are defined by assuming L f and L φ contains polynomialsfrom the set of polynomials L ( d f , d f ) and L ( d φ , d φ ) respectively. By analogy,the same attack can also be done against a given message by testing all possible φ ∈ L φ and search for the matrices e − φh (mod Q ) which contains polynomialswith small entries. So individual message security is defined byMessage Security = (cid:20) n !( n − d φ )! d φ ! (cid:21) k A meet-in-middle attack was proposed by Andrew Odlyzko [13] for NTRUand developed by Silverman. This attack can also be used against NNRU. Theattack need a lot of storage capacity and cut the search time by the square root.
NRU, a noncommutative analogue of NTRU 7
This attack works if Alice sends a single message m several time using samepublic key but different blinding values φ ’s, then the attacker eve can get themaximum bits of the message.suppose Alice transmit the massage e i ≡ φ i h + Hm (mod q )for i = 1 , . . . . . . . . . . . . r eve can compute ( e i − e ) ∗ h − ( mod q ). therefore recovering φ i − φ ( mod q ).If r is of moderate size (say 5 or 6), eve will recover enough bits of φ to applybrute force to the rest of the bits. As polynomial of φ have small coefficientsso eve will recover exactly φ i − φ , and in the way eve will recover many ofcoefficients of polynomial of φ due to this attack we suggest not to use multiple transmission with furtherscrambling of particular (underlying) message. However this attack will workfor a single message(tha has been multiple transmitted)not for any subsequentmessage. The Decryptor computes A = f eg ≡ pf φw + cmg (mod q )parameter are chosen so that both pf φw and cmg are small enough to guar-antee the entries of non modular expression B = pf φw + cmg (mod q )lies between − q/ q/ p from computing modulo q and can calculate message. m ≡ C p BG p (mod p )we can estimate bounds on the elements of B provided correct decryption. De-cryption will work only when B is equal to pf φw + cmg , not mere congruent tomodulo q . Using result(2)we can say the following k pf φw k≈ p k f kk φ kk w kk cmg k≈k c kk m kk g k Assuming vectors pf φw and cmg to be nearly orthogonal, we can write k B k ≈ p k f k k φ k k w k + k c k k m k k g k (5) Nitin Vats decoding will fail if any coefficient of polynomial of B will more than q/ B are normally distributed with mean zero and standard deviation σ ≈ k B k√ nk . Analogues to shamir’s results for NTRU [1], Experiments suggeststhe fact that the probability of correct decoding is high for small ratio of σ to q/
2. We can say that reliability of decoding is directly proportional to the ratioof σ ≈ k B k√ nk to q Equation (5) gives an estimate of the value of B in terms of f, w, c and g .Let us consider the case in which attacker can use an alternate matrices f ′ inplace of original f and g ′ in place of g . Upon calculate from a value of w ′ fromequation (3) and c ′ from equation (4), an estimate of k B ′ k can be calculatedby equation (5). If this k B ′ k is comparable to k B k , then it is not tough torecover message using f ′ and g ′ so consider k B k ≈ p k f k k φ k k w k + k c k k m k k g k Assume k φ k and k m k to be held constant at a typical value, and putting λ = k m k /p k φ k , putting the value of λ in above equation, we therefore leftwith σ = k B ′ k nk ≈ p k φ k nk ! ( k f ′ k k w ′ k + λ k c ′ k k g ′ k )We can attack this cryptosystem if we can make a lattice L in which squarednorm of an element being k f k k w k + k c k k g k In other words if we can construct a lattice from public key pair h, H inwhich vector ( f w, cg ) lies or if we show vectors f w and cg to be same lineartransformation of public key vectors. In following analysis we show that wecan’t make such lattice that will generated by public key and contain vectors( f w, cg ).Encrypted message is left multiplied by f and right multiplied by g . f w and cg are produced by following transformation on public keys. T f,g (1) : 1 f g We can define T f,g : M → M be the linear map h f hg or h f w (6) H f Hg or H cg (7) NRU, a noncommutative analogue of NTRU 9
For further analysis Let us consider the definition of a lattice. Let IR m be the m -dimensional Euclidian space. A lattice in IR m is the set L ( b , b , b , . . . . . . , b n ) = ( n X i =1 x i b i : x i ∈ ZZ ) of all integer combination of n -linear independent vectors { b , b , b , . . . . . . , b n } in IR m ( m ≥ n ). Here we try to make a Lattice of dimensions 2 nk × nk withbasis vectors produced by the cyclic shift of the coefficients of polynomial of thematrices h and H . Attacker can crack the system provided the Lattice containsvector ( f w, cg ).One can conclude by linear transformation shown in equation (6) and (7) thatthe lattice attack is possible if and only if one can make a lattice with publickey vectors ( h, H ) which contains vector ( f w, cg ) or if following transformationis linear ( h, H ) ( f w, cg ) (8)In following analysis we show transformation h f hg is not linear. Similarlyit follows H f hg and ( h, H ) ( f w, cg ) can not be linear.Consider the multiplication of the matrices f.h.g = f w , where each matrix( f, g, h, f w )having k short polynomials as elements f · · · f k ... . . . ... f k ( k − · · · f k h · · · h k ... ... ... h k ( k − · · · h k g · · · g k ... ... ... g k ( k − · · · g k = f w , · · · f w ,k ... ... ... f w k, · · · f w k,k ( f w ) , = g f h + g k +1 f h + g k +1 f h + · · · + g k ( k − f h k + g f h k +1 + · · · + g k ( k − f h k + · · · + g k ( k − f k h k ( f w ) , = g f h + · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · + g k ( k − f k h k ...( f w ) k,k = g k h f k ( k − + g k h f k ( k − + · · · + g k h k f k ( k − + · · · g k h k f k So general term can be represented as( f w ) i,j = ki X l = k ( i − k − X s =0 f l ( g j + sk ) (cid:0) h (1+ s )( l − k ( i − (cid:1) or, we can represent ( f w ) i,j = P f u g v h z = P U z h z where, u , v , and z areaccording to the relationship shown above,Here i, j ∈ [1 k ]; u, v ∈ [1 k ]; z ∈ [1 k ] As all U z are different so we can not find a row vector S i = ( s , s , . . . . . . , s k )that will produce vector f w on multiplying with a Lattice represented by thecyclic shift of the coefficients of polynomial of h . In other words if column vectors v , v , . . . . . . v nk are the basis of lattice L ( v , v , . . . . . . v nk ), then we will haveto multiply different vector S i to each column vector v i to get f w . We thereforeconclude f w = S i L ( v , v , . . . . . . v nk )Thus we proved that one cannot make a lattice by h and H , which containsthe vectors ( f w, cg ). So lattice attack will not work for this cryptosystem unlikeNTRU[1] and its variants [14]. Many variants of NTRU have been introduced till date. We present NNRU asthe only variant of NTRU which operates in non-commutative ring. It is com-pletely secure against Lattice attack. Moreover it gives speed improvement overNTRU. Brief of other variants are as follows.1.
Variant with non-invertible polynomial [25]: It operates in ring Z [ X ] / ( X N −
1) . Size of public key and encryption time is roughly doubledthan NTRU. It is likely to be more robust against Lattice attack but not proved.2.
MaTRU [14]: It operates in a ring of k × k matrices of polynomials in R = Z [ X ] / ( X n −
1) but decryption is not non-commutative. Speed improvementis achieved by a factor of O ( k ). It gives no added security against lattice or otherattacks in comparison with NTRU.3. CTRU [24]: It is analogue of NTRU, the ring of integers replaced by thering of polynomials IF [ T ]. It has been completely cracked by linear algebra at-tack.As [25] is slow and [24] is completely cracked so it is obvious to give moreattention to the study of security aspect of MaTRU. Here we present meet-in-middle attack on MaTRU and show that the MaTRU system is not more robustagainst this attack compare to NTRU. This attack can’t be operated on NNRUbecause calculations involved in decryption are non-commutating. [26] showsmeet-in-middle attack on NTRU. We show that similar attack can be appliedon MaTRU.Applying same notations as in [14] let us consider Second block of MaTRULattice [14]. NRU, a noncommutative analogue of NTRU 11 w (mod q ) = γ , γ , ...... γ k − ,k − T hh ≫ h ≫ h ≫ k − nk coefficients of w can be achieved by multiplying row vector γ to matrix h .Idea is to search for γ in the form γ || γ , where γ and γ are each of nk / d/ || ” denotes concatenation, and then to match ( γ ∗ h )against ( − γ ∗ h ), looking for ( γ , γ ) so that the corresponding coefficients haveapproximately the same value. The above relationship can be written as ⇒ ( γ ∗ h ) i = { , } − ( γ ∗ h ) i (mod q ) ∀ i where, the a i notation denotes the i th entry in a .This equation is similar to what we get for NTRU [26]. ⇒ ( f ∗ h ) i = { , } − ( f ∗ h ) i (mod q ) ∀ i We can operate the attack same as [26]. Assuming nk = N and d are numberof ones in γ . Similar to [26], One can easily find that the expected runningtime and storage space required for this method (this value is equal to whatwe get for NTRU)is (cid:18) N/ d/ (cid:19) / √ N . Further one can also apply meet-in-middleattack on MaTRU followed by Linear algebra attack. Lattice in [14] can also berepresented as modular equation γ ( y ) ∗ h ( y ) ≡ w (mod q )(mod( y k − γ ( y ) ∗ h ( y ) = w + qu where, u = u , + u , + · · · + u k − ,k − y k − and, u i,j ∈ Z [ X ] / ( X n − nk − nk − nk − nk − . further one can set up ameet in middle search to reduce the running time to O (2 ( nk − / ). Here we present the theoretical operating specification of NNRU and comparethe complexity of different operation with standard NTRU PKCS. NNRU cryp-tosystem depends on four positive integer parameters ( n, k, p, q ) with p and q relatively prime and four sets of matrices ( L f , L c , L φ , L m ) ⊂ M .The propertiesof NTRU [1] is defined in terms of parameters ( N, p, q ). We compare two systemsfor the same size of plaintext blocks by setting N = nk . Characteristics NTRU NNRUPlain text Block N log p bits nk log p bitsEncrypted Text Block N log q bits nk log q bitsEncryption Speed O ( N ) operations O ( n k ) operationsMessage Expansion log p q to 1 log p q to 1Private Key Length 2 N log p bits 2 nk log p bitsPublic Key Length N log q bits 2 nk log q bitsLattice Security 2 (cid:16) π ae Nq (cid:17) Totally secure against lattice attack Since NNRU perform two-sided multiplication during decryption process,so constant factor will about twice that of standard NTRU For message security d g will be replaced by d for NTRU and d f to d φ forNNRU CryptosystemIf we compare the size of public/private key, NNRU needs two public keyseach of them is double in length that of NTRU public key while the size of privatekey is same. NNRU gives significant speed improvement over standard NTRU.We can compare an instance of NTRU by putting n ( k ) = N . Encryption anddecryption in NTRU needs O ( N ) or O ( nk ) operations for a message blockon length of N . In NNRU the same bit of information requires O ( nk . ) or O ( nk . ) operations if we use Strassen’s or coppersmith algorithms for matrixmultiplication respectively. We can further reduce the number of operations ifwe use FFT for polynomial multiplication. In this case it will be as small as O ( k . n log n ), which is considerable speed improvement over original NTRU. Itis faster than RSA which needs O ( N )operations for encryption and decryption. Our motivation for NNRU results from various suggestions given by Shamir andother researchers in their papers for extensions to non-commutative groups. Westudied NTRU over ring F ( T )[ X ] / ( X n −
1) but we found that, the variant [24]is secure against Popov Normal Form attack but completely insecure againstlinear algebra based attacks . Here we follow group algebra over strictly non-commutative groups. Lattice attack is biggest threat to NTRU. It is expectedthat new lattice reduction technique will be discovered over time and will be ableto reduce number of arithmetic operations involved in it. It is natural to studyan analogue of NTRU in the given context and find the possibilities in terms ofsecurity against Lattice attack and any improvement in terms of speed. NNRUis completely secure against Lattice attacks with significant speed improvement.Further research can be done in the direction of finding the possibilities of anyother type of attack or further improvement and generalization of NNRU Cryp-tosystem.
NRU, a noncommutative analogue of NTRU 13
References
1. J.Hoffestein , J.Pipher and J.H.Silverman. NTRU : A Ring-Based Public Key Cryp-tosystem. In Proceeding of ANTS