Beruflich Dokumente
Kultur Dokumente
Tutorial
Email: renw@cs.unlv.edu
May 23, 2006
http://www.cs.unlv.edu/~renw/ntru-tutorial-slides.pdf
5/23/2006 renw@cs.unlv.edu 1
Agenda
Algebra Tutorial
Modular Arithmetic
Truncated Polynomial Rings
Inverse in Truncated Polynomial Rings
The NTRU Public Key Cryptosystem
NTRU PKCS Parameters
Key Generation
Encryption
Decryption
Why It Works
Advanced Topics (Optimizations)
Implementation Details
5/23/2006 renw@cs.unlv.edu 2
Presentation Outline
Algebra Tutorial
Modular Arithmetic
Truncated Polynomial Rings
Inverse in Truncated Polynomial Rings
The NTRU Public Key Cryptosystem
NTRU PKCS Parameters
Key Generation
Encryption
Decryption
Why It Works
Advanced Topics (Optimizations)
Implementation Details
5/23/2006 renw@cs.unlv.edu 3
Modular Arithmetic
Division with modulo and keep the remainder
e.g. 147 (modulo 17) =?
147=8*17+11 that is 147=11 (modulo 17)
In general, the congruence a=b (modulo m) means that a and b leave
the same remainder when they are divided by m.
(a modulo m) + (b modulo m)=(a+b modulo m)
(a modulo m) * (b modulo m)=(a*b modulo m)
If a*b=1 (modulo m), b is an inverse for a (modulo m)
e.g. inverse of 10 (modulo 23) is 7, why?
7*10=1(modulo 23)
Euclidean Algorithm can be used to check if a and m have common
factors and compute the inverse of a (modulo m) if they do not have
common factors
5/23/2006 renw@cs.unlv.edu 4
Truncated Polynomial Rings
Degree N-1 Ring
E.g. a =a0+a1X+a2X2+a3X3+…+aN-2XN-2+aN-1XN-1
a+b=(a0+b0)+(a1+b1)X+…(aN-1+bN-1)XN-1
XN=1 (mod XN -1)
a*b=c0+c1X+c2X2+…+cN-2XN-2+cN-1XN-1
ck=a0bk+a1bk-1+…+akb0+ak+1bN-1+ak+2bN-2+…aN-1bk+1
k N −1
ck = ∑a b
i =0
i k −i+ ∑a b
i = k +1
i N +k −i = ∑a b i j
i + j ≡ k (mod N )
a*(b+c)=a*b+a*c
Call it Ring of Truncated Polynomials. In terms of modern
abstract algebra, R is isomorphic to the quotient ring Z[X]/(XN-1)
5/23/2006 renw@cs.unlv.edu 5
Truncated Polynomial R with
the modular arithmetic
Polynomial a modulo an integer q
a (modulo q)
Means to reduce the coefficients of a modulo q
a=b (modulo q)
Means every coefficients of the difference a-b is a multiple of q
a =a0+a1X+a2X2+a3X3+…+aN-2XN-2+aN-1XN-1
is conveniently written as the list of N numbers
a=(a0, a1, a2, …..,,aN-2, aN-1)
5/23/2006 renw@cs.unlv.edu 6
Inverses in Truncated
Polynomial R
Inverse modulo q of a polynomial a modulo is a polynomial A with
the property that
a*A=1 (modulo q)
Not every polynomial has an inverse modulo q, but it is easy to
determine if a has an inverse and to compute the inverse if it exists
5/23/2006 renw@cs.unlv.edu 7
Presentation Outline
Algebra Tutorial
Modular Arithmetic
Truncated Polynomial Rings
Inverse in Truncated Polynomial Rings
The NTRU Public Key Cryptosystem
NTRU PKCS Parameters
Key Generation
Encryption
Decryption
Why It Works
Advanced Topics (Optimizations)
Implementation Details
5/23/2006 renw@cs.unlv.edu 8
NTRU PKCS Parameters
Ring R that consists of all truncated polynomials of
degree N-1 having integer coefficients:
a =a0+a1X+a2X2+a3X3+…+aN-2XN-2+aN-1XN-1
5/23/2006 renw@cs.unlv.edu 9
NTRU PKCS Parameters
Security N q p
Level
Moderate 167 128 3
Standard 251 128 3
High 347 128 3
Highest 503 256 3
From www.ntru.com, ntru tutorial
Ntru167ÙECC112ÙRSA512
Ntru263ÙECC168ÙRSA1024 In this tutorial, N=11, q=32, p=3
Ntru503ÙECC196ÙRSA2048
5/23/2006 renw@cs.unlv.edu 10
Key Generation
Randomly Choose two “small” polynomials f and g and
keep them private
Randomly means coefficients is randomly distributed in p
or q, small means the coefficients are much smaller than
p or q
Compute the inverse of f modulo q and the inverse of f
modulo p
f*fq=1 (modulo q) and f*fp=1 (modulo p)
5/23/2006 renw@cs.unlv.edu 11
Key Generation Example
N=11, q=32, p=3
Some method to generate f and g:
df: The polynomial f has df coefficients equal to +1 and
df -1 coefficients equal to -1, and all the rest are 0
dg : The polynomial g has dg coefficients equal to +1
and dg coefficients equal to -1, and all the rest are 0
The reason: f and g are “small” polynomials, f has to be
inverse while g doesn’t
df=4 dg=3
f=-1+X+X2-X4+X6+X9-X10
g=-1+X2+X3+X5-X8-X10
5/23/2006 renw@cs.unlv.edu 12
Key Generation Example (cont.)
fp=1+2X+2X3+2X4+X5+2X7+X8+2X9
fq=5+9X+6X2+16X3+4X4+15X6+22X7+20X8+18X9+30X10
H=8+25X+22X2+20X3+12X4+24X5+15X6+19X7+12X8+19
X9+16X10
5/23/2006 renw@cs.unlv.edu 13
Is fp really inverse of f , fp*f=1 (mod
p) p=3 ? Verification
XN=1 (mod XN -1)
a*b=c0+c1X+c2X2+…+cN-2XN-2+cN-1XN-1 k N−1
ck=a0bk+a1bk-1+…+akb0+ak+1bN- ck = ∑a b i k −i + ∑a b i N + k −i = ∑a b i j
1+ak+2bN-2+…aN-1bk+1 i=0 i=k+1 i+ j≡k(modN)
fp=1+2X+2X3+2X4+X5+2X7+X8+2X9
f = -1+X+X2-X4+X6+X9-X10
e. g.
(1, 2, 0, 2, 2, 1, 0, 2, 1, 2, 0)
c0=1*(-1)+2*(-1)+0*1+2*0+2*0+1*1+
0*0+2*(-1)+1*0+2*1+0*1=
(-1)+(-2)+1+(-2)+2= -2 (-1, 1, 1, 0, -1, 0, 1, 0, 0, 1, -1)
Since p=3
(-2) =1 (mod 3)
5/23/2006 renw@cs.unlv.edu 14
How to compute H=pfq*g (mod q)
q=32, p=3
Low Hamming Weight Polynomials
Reference: J.Hoffstein, J.Silverman, “Random Small Hamming
Weight Products With Applications to Cryptography,”
http://www.ntru.com/cryptolab/articles.htm, Last Access, May
19,2006
e.g. (4,5,7)*(5,3,2)
=4*(5,3,2)+5*(2,5,3)+7*(3,2,5)
=(20,12,8)+(10,25,15)+(21,14,35)
=(20+10+21, 12+25+14, 8+15+35)
= (51,51,56)
5/23/2006 renw@cs.unlv.edu 15
How to compute H=pfq*g (mod q)
q=32, p=3 (cont.)
Using Low Hamming Weight Polynomials
fq=5+9X+6X2+16X3+4X4+15X5+16X6+22X7+20X8+18X9+30X10
g=-1+X2+X3+X5-X8-X10
H=pfq*g (mod q) p=3, q=32
(-1,0,1,1,0,1,0,0,-1,0,-1)*(5,9,6,16,4,15,16,22,20,18,30)=
(-5,-9,-6,-16,-4,-15,-16,-22,-20,-18,-30)+
(18,30,5,9,6,16,4,15,16,22,20)+
(20,18,30,5,9,6,16,4,15,16, 22)+ H=8+25X+22X2+20X3+12X4+24X5+15
X6+19X7+12X8+19X9+16X10
(16,22,20,18,30,5,9,6,16,4,15)+
(-16,-4,-15,-16,-22,-20,-18,-30,-5,-9)+
(-9,-6-16,-4,0,-15,-16,-22,-20,-18,-30,-5)=(24,51….)
-5+18+20+16-16-9=24 24*3=72 72=8 (mod 32)
5/23/2006 renw@cs.unlv.edu 16
Encryption
m is plaintext in the form of a polynomial whose
coefficients are “small” mod q
Randomly choose another “small” polynomial r
r is “blinding value” which is used to obscure the
message (similar to the way that ElGamal
algorithm use a one-time random value when
encrypting)
e = r*h +m (modulo q),
e is encrypted message, m is plaintext, h is
public key
5/23/2006 renw@cs.unlv.edu 17
Encryption Example
r has dr coefficients equal to 1, dr-1 coefficients equal to -
1, and all others are 0
dr=3, r=-1+X2+X3+X4-X5-X7
m=-1+X3-X4-X8+X9+X10
h=8+25X+22X2+20X3+12X4+24X5+15X6+19X7+12X8+19
X9+16X10
e=r*h+m (mod q)
=(-1, 0,1,1,1,-1,0,-1,0,0,0)*(8,25,22,20,12,24,15,19,12,19,16)+
(-1,0,0,1,-1,0,0,0,-1,1,1)
=14+11X+26X2+24X3+14X4+16X5+30X6+7X7+25X8+6X9+19X10
5/23/2006 renw@cs.unlv.edu 18
Decryption
a = f*e (mod q), MUST choose coefficients of a
to lie between -q/2 and q/2, e.g. for q=32,
coefficients must lie in [-15, 16]
b = a (mod p), MUST choose coefficients of b
between -p/2 and p/2, for p=3, the range is [-1,1]
c = fp*b (mod p), MUST choose coefficients of c
between -p/2 and p/2, for p=3, the range is [-1,1]
5/23/2006 renw@cs.unlv.edu 19
Decryption Example: a=f*e (mod q)
e=14+11X+26X2+24X3+14X4+16X5+30X6+7X7+25X8+6
X9+19X10
f = -1+X+X2-X4+X6+X9-X10
(-1,1,1,0,-1,0,1,0,0,1,-1)*
(14,11,26,24,14,16,30,7,25,6,19)
mod 32, change coefficients to [-15,16]
a=3-7X-10X2-11X3+10X4+7X5+6X6+7X7+5X8-3X9-7X10
denoted by (3,-7,-10,-11,10,7,6,7,5,-3,-7)
5/23/2006 renw@cs.unlv.edu 20
Decryption Example: b=a (mod p)
a=3-7X-10X2-11X3+10X4+7X5+6X6+7X7+5X8-3X9-7X10
(3,-7,-10,-11,10,7,6,7,5,-3,-7)
b=-X-X2+X3+X4+X5+X7-X8-X10 (mod 3)
(0,-1,-1,1,1,1,0,1,-1,0,-1)
5/23/2006 renw@cs.unlv.edu 21
Decryption Example: c=fp*b (mod
p)
fp=1+2X+2X3+2X4+X5+2X7+X8+2X9
(1,2,0,2,2,1,0,2,1,2,0)
b=-X-X2+X3+X4+X5+X7-X8-X10
(0,-1,-1,1,1,1,0,1,-1,0,-1)
(0,-1,-1,1,1,1,0,1,-1,0,-1)*(1,2,0,2,2,1,0,2,1,2,0)=
(0,-1,-2,0,-2, -2,-1,0,-2,-1,-2,0)+
(0,0,-1,-2,0,-2, -2,-1,0,-2,-1,-2)+
(1,2,0,1,2,0,2,2,1,0,2)+
(2,1,2,0,1,2,0,2,2,1,0)+
(0,2,1,2,0,1,2,0,2,2,1)+ m = (-1,0,0,1,-1,0,0,0,-1,1,1)
(2,1,0,2,1,2,0,1,2,0,2)+
(-2,-2,-1,0,-2,-1,-2,0,-1,-2,0)+ equal
(-2,0,-2,-2,-1,0,-2,-1,-2,0,-1)
mod 3, change to [-1,1], therefore c = (-1,0,0,1,-1,0,0,0,-1,1,1)
5/23/2006 renw@cs.unlv.edu 22
Summary
Parameters: N, p (small prime), q (big number, power of
2, gcd(p,q)=1)
Private Key: Two randomly generated “small”
polynomials f, g
Computing fq, fp, fq*q=1 (mod q), fp*p=1(mod p)
Public key: h=pfq*g (mod q)
Encryption: randomly generated “small” polynomial r as
blind value
e=r*h+m (mod q), e is cipher text, m is plaintext
Decryption: a=f*e (mod q), b=a (mod p), c=fp*b (mod p),
change the coefficients, c is the result, which should be
equal to m
5/23/2006 renw@cs.unlv.edu 23
Why it Works
a=f*e (mod q) [e=r*h+m (mod q)]
=f*(r*h+m) (mod q) [h=pfq*g (mod q)]
=f*(r*pfq*g+m) (mod q) [f*fq=1 (mod q)]
=pr*g+f*m (mod q)
The polynomial r, g, f, m all have coefficients that are quite small, so the
coefficients of r*g and f*m are also quite small, at least in comparison to
q. Since prime p is also small compared to q, this means the polynomial
pr*g+f*m lie between –q/2 and q/2, so reducing the coefficients mod q
has no effect.
b=a=f*m (mod p)
c=fp*b=fp*f*m=m (mod p) [since fp*f=1 (mod p)]
5/23/2006 renw@cs.unlv.edu 24
Presentation Outline
Algebra Tutorial
Modular Arithmetic
Truncated Polynomial Rings
Inverse in Truncated Polynomial Rings
The NTRU Public Key Cryptosystem
NTRU PKCS Parameters
Key Generation
Encryption
Decryption
Why It Works
Advanced Topics (Optimizations)
Implementation Details
5/23/2006 renw@cs.unlv.edu 25
Optimizations
Reference:
J. Hoffstein, J. Silverman, “Optimizations for NTRU,” In:
Proc. of Public-Key Cryptography and Computational
Number Theory (Warsaw, September 11-15, 2000),
Walter de Gruyter, Berlin-New York, 2001.
J. Hoffstein, J. Silverman, “Random Small Hamming
Weight Products with Applications to Cryptography,” In:
Proc. of Com2MaC Workshop on Cryptography
(Pohang, Korea, June 2000), Discrete Mathematics, to
appear.
5/23/2006 renw@cs.unlv.edu 26
Optimizations (cont.)
Polynomial Multiplication
Low Hamming Weight Polynomials
e.g. m, f, g, r,
Products of Small Hamming Weight Polynomials
e.g. h=pfq*g (mod q), e=r*h+m (mod q), a=f*e (mod q)
Instead of taking f to be a single small polynomials,
form it by combining several even smaller
polynomials
e.g. in full-size versions of the cryptosystem, with
N=251, usually take small polynomials so that about
one third of the coefficients are non-zero
5/23/2006 renw@cs.unlv.edu 27
Optimizations (cont.)
e.g. for computing i*a, i=[1,0,1,1,1,1,1,1,0,0,1,1,0]
i=i1*i2=[1,0,1,0,0,0,0,1,0,0,0,0,0]*
[1,0,0,1,1,0,0,0,0,0,0,0,0]
I has 9 ones, so i*a take 9 additions pre coefficient
If we instead I with i1 and i2
First calculate i2*a, it take 3 additions pre coefficient,
then calculate i1*(i2*a), it take another 3 additions per
coefficient, so the total is 6 additions per coefficient, only
take 2/3 as long
5/23/2006 renw@cs.unlv.edu 28
Optimizations (cont.)
For commercial ntru, N=251
Short vector have about 72 non-zero coefficients
For decryption, a = f*e (mod q), let f=1+p*F
dF=72, f=1+p*((f1*f2)+f3)
df1=8,df2=8,df3=8, so it takes 24 additions pre
coefficients, not 72
For encryption, e=r*h+m (mod q), let r=(r1*r2)+r3
dr1=8, dr2=8, dr3=8, so it takes 24 additions pre
coefficients, not 72
5/23/2006 renw@cs.unlv.edu 29
Presentation Outline
Algebra Tutorial
Modular Arithmetic
Truncated Polynomial Rings
Inverse in Truncated Polynomial Rings
The NTRU Public Key Cryptosystem
NTRU PKCS Parameters
Key Generation
Encryption
Decryption
Why It Works
Advanced Topics (Optimizations)
Implementation Details
5/23/2006 renw@cs.unlv.edu 30
Implementation Details
Source code:
www.cs.unlv.edu/~renw/ntru_v22.c
Document:
www.cs.unlv.edu/~renw/ntru-tutorial-impl.pdf
Language: ANSI C
Compile: gcc ntru_v22.c –o ntru
Usage: ntru plaintext (max length is 11, ‘0’ and
‘1’ character)
eg. Ntru 11111000001
5/23/2006 renw@cs.unlv.edu 31
Functions in Program
GF_Ntru_ParameterSetup(11,32,3);
GF_Ntru_PrivateKeyGen();
GF_Ntru_PublicKeyGen();
GF_Ntru_BlindValueGen();
GF_Ntru_GetPlainText();
GF_Ntru_Encrypt();
GF_Ntru_Decrypt();
GF_Debug_Check_Result();
5/23/2006 renw@cs.unlv.edu 32
Program Organizations
GF_Ntru_ParameterSetup(11,32,3)
GF_Ntru_PrivateKeyGen() GF_Ntru_ParameterSetup
GF_Ntru_BlindValueGen() GF_Ntru_PublicKeyGen
Main() GF_Ntru_Decrypt
GF_Ntru_GetPlainText() GF_Ntru_BlindValueGen
GF_Ntru_Encrypt() GF_Ntru_GetPlainText
GF_Ntru_Decrypt()
GF_Debug_Check_Result()
5/23/2006 renw@cs.unlv.edu 33
Implementation Details (cont.)
Low weight hamming polynomial product, e.g. e=r*h + m (mod q)
for(t=0;t<GV_N;t++) //using low weight hamming polynomial multiplication
{
if (r[t]==1)
{
for(i=0;i<GV_N;i++)
e[i]=e[i]+h[i];
}
if (r[t]==-1)
{
for(i=0;i<GV_N;i++)
e[i]=e[i]-h[i];
}
// h[ ] one right shift
int swaptemp=h[GV_N-1];
for (i=GV_N-1;i>0;i--)
{
h[i]=h[i-1];
}
h[0]=swaptemp;
}
5/23/2006 renw@cs.unlv.edu 34
What’s Next
Implement commercial version, NTRU503, (on-
going, in debugging stage)
Hardware-software co-design Optimization
montogomery multiplication hardware implementation
(VHDL, ModelSim)
Performance comparison between RSA, ECC in
sensor network platform
Scrutiny of NTRU security (Lattices)
Ntru-based Key management (authentication,
signature) for wireless sensor network security
5/23/2006 renw@cs.unlv.edu 35
Acknowledgement
5/23/2006 renw@cs.unlv.edu 36
References
The NTRU Public Key Cryptosystem – A Tutorial,
http://www.ntru.com/cryptolab/tutorials.htm, last access is May 19,
2006
5/23/2006 renw@cs.unlv.edu 37